From 0f64093e46f82c6c7c2c12ee155c828e49f01c9f Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Sat, 13 Feb 2021 15:00:16 +0100 Subject: [PATCH] update apparmor profiles --- apparmor.d/abstractions/devices-usb | 30 ++++++++++ apparmor.d/abstractions/disks-read | 2 +- apparmor.d/abstractions/disks-write | 2 +- apparmor.d/abstractions/libvirt-lxc | 9 ++- apparmor.d/abstractions/libvirt-qemu | 10 +++- apparmor.d/adequate | 6 +- apparmor.d/amarok | 2 +- apparmor.d/android-studio | 11 ++-- apparmor.d/anki | 5 ++ apparmor.d/apt-key | 6 +- apparmor.d/apt-listbugs | 5 +- apparmor.d/apt-listchanges | 6 +- apparmor.d/apt-systemd-daily | 3 +- apparmor.d/arduino | 83 ++++++++++++++-------------- apparmor.d/arduino-builder | 56 +++++++++++++++++++ apparmor.d/arduino-ctags | 27 +++++++++ apparmor.d/at-spi-bus-launcher | 5 +- apparmor.d/atom | 5 ++ apparmor.d/birdtray | 5 ++ apparmor.d/brave | 5 ++ apparmor.d/calibre | 23 ++------ apparmor.d/cawbird | 8 ++- apparmor.d/chage | 2 + apparmor.d/check-support-status | 6 +- apparmor.d/child-dpkg | 5 +- apparmor.d/child-lsb_release | 6 +- apparmor.d/chromium-chromium | 5 +- apparmor.d/colord | 8 +-- apparmor.d/colord-sane | 11 +--- apparmor.d/dbus-daemon | 1 + apparmor.d/debsums | 6 +- apparmor.d/discord | 5 ++ apparmor.d/dpkg | 3 +- apparmor.d/dpkg-split | 5 +- apparmor.d/dropbox | 5 ++ apparmor.d/engrampa | 5 ++ apparmor.d/firefox | 5 ++ apparmor.d/firejail-default | 13 +++-- apparmor.d/flameshot | 5 ++ apparmor.d/freetube | 5 ++ apparmor.d/frontend | 2 +- apparmor.d/geany | 4 +- apparmor.d/google-chrome-chrome | 5 ++ apparmor.d/gpartedbin | 5 ++ apparmor.d/gpodder | 5 ++ apparmor.d/gtk-youtube-viewer | 5 ++ apparmor.d/hardinfo | 5 ++ apparmor.d/inxi | 5 +- apparmor.d/jdownloader | 5 ++ apparmor.d/keepassxc | 16 ++---- apparmor.d/kodi | 2 +- apparmor.d/labwc | 5 +- apparmor.d/lsb_release | 5 +- apparmor.d/lsusb | 14 +---- apparmor.d/megasync | 5 ++ apparmor.d/minitube | 5 ++ apparmor.d/mumble | 5 ++ apparmor.d/okular | 5 ++ apparmor.d/opera | 5 ++ apparmor.d/orage | 5 ++ apparmor.d/pcb-gtk | 51 +++++++++++++++++ apparmor.d/popularity-contest | 6 +- apparmor.d/psi-plus | 5 ++ apparmor.d/qbittorrent | 3 + apparmor.d/qnapi | 5 ++ apparmor.d/qpdfview | 7 ++- apparmor.d/querybts | 5 ++ apparmor.d/quiterss | 5 ++ apparmor.d/reportbug | 11 +++- apparmor.d/scdaemon | 10 +--- apparmor.d/smtube | 5 ++ apparmor.d/strawberry | 5 ++ apparmor.d/syncthing | 5 ++ apparmor.d/system-config-printer | 52 +++++++++++++---- apparmor.d/tasksel | 6 +- apparmor.d/telegram-desktop | 8 ++- apparmor.d/thinkfan | 1 + apparmor.d/thunderbird | 5 ++ apparmor.d/ucf | 6 +- apparmor.d/udevadm | 11 +++- apparmor.d/udiskie | 5 ++ apparmor.d/uname | 2 + apparmor.d/update-ca-certificates | 6 +- apparmor.d/upowerd | 8 +-- apparmor.d/usb-devices | 6 +- apparmor.d/usbguard | 10 ++-- apparmor.d/usbguard-daemon | 7 +-- apparmor.d/usermod | 2 + apparmor.d/usr.sbin.cupsd | 35 +++++++----- apparmor.d/usr.sbin.libvirtd | 10 ++-- apparmor.d/usr.sbin.ntpd | 16 +++--- apparmor.d/vidcutter | 5 ++ apparmor.d/virt-manager | 15 +---- apparmor.d/vlc | 8 +-- apparmor.d/wireshark | 5 ++ apparmor.d/xarchiver | 5 +- 96 files changed, 645 insertions(+), 240 deletions(-) create mode 100644 apparmor.d/abstractions/devices-usb create mode 100644 apparmor.d/arduino-builder create mode 100644 apparmor.d/arduino-ctags create mode 100644 apparmor.d/pcb-gtk diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb new file mode 100644 index 00000000..3cc8557f --- /dev/null +++ b/apparmor.d/abstractions/devices-usb @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi , + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/[0-9]*/ r, + /dev/bus/usb/[0-9]*/[0-9]* rw, + + @{sys}/class/ r, + + @{sys}/bus/ r, + @{sys}/bus/usb/ r, + @{sys}/bus/usb/devices/{,**} r, + + @{sys}/devices/**/usb[0-9]/{,**} rw, + + # Udev data about usb devices (~equal to content of lsusb -v) + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c16[6,7]* r, + @{run}/udev/data/c18[0,8,9]* r, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 6a0ca0a7..7085869a 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -20,7 +20,7 @@ /dev/sd[a-z][0-9]* rk, @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r, - @{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r, + @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, # SD card devices /dev/mmcblk[0-9]* rk, diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index f8af57e0..b021377c 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -20,7 +20,7 @@ /dev/sd[a-z][0-9]* rwk, @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r, - @{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r, + @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, # SD card devices /dev/mmcblk[0-9]* rwk, diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc index 51516e68..72278b5b 100644 --- a/apparmor.d/abstractions/libvirt-lxc +++ b/apparmor.d/abstractions/libvirt-lxc @@ -1,4 +1,8 @@ - include + #include + + # Allow receiving signals from libvirtd + signal (receive) peer=libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, umount, @@ -112,3 +116,6 @@ deny /sys/fs/cgrou[^p]*{,/**} wklx, deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, + + # Site-specific additions and overrides. See local/README for details. + #include diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index 98be0d4a..677a4640 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -1,6 +1,6 @@ - include - include - include + #include + #include + #include # required for reading disk images capability dac_override, @@ -102,6 +102,7 @@ # the various binaries /usr/bin/kvm rmix, + /usr/bin/kvm-spice rmix, /usr/bin/qemu rmix, /usr/bin/qemu-aarch64 rmix, /usr/bin/qemu-alpha rmix, @@ -242,3 +243,6 @@ # /sys/bus/nd/devices / r, # harmless on any lsb compliant system /sys/bus/nd/devices/{,**/} r, + + # Site-specific additions and overrides. See local/README for details. + #include diff --git a/apparmor.d/adequate b/apparmor.d/adequate index c54c4997..4e79aac4 100644 --- a/apparmor.d/adequate +++ b/apparmor.d/adequate @@ -36,7 +36,11 @@ profile adequate @{exec_path} flags=(complain) { /{usr/,}bin/pkg-config rCx -> pkg-config, /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + # /{usr/,}bin/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/amarok b/apparmor.d/amarok index f8b3cc9c..58a020e3 100644 --- a/apparmor.d/amarok +++ b/apparmor.d/amarok @@ -52,6 +52,7 @@ profile amarok @{exec_path} { include include include + include include ptrace (trace) peer=@{profile_name}, @@ -160,7 +161,6 @@ profile amarok @{exec_path} { deny @{sys}/devices/ r, deny @{sys}/devices/virtual/net/**/{uevent,type} r, deny @{sys}/devices/virtual/sound/seq/uevent r, - deny @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{manufacturer,product,uevent,type} r, deny @{sys}/devices/system/node/ r, deny @{run}/udev/data/* r, diff --git a/apparmor.d/android-studio b/apparmor.d/android-studio index 97d4dca7..b2cb9f29 100644 --- a/apparmor.d/android-studio +++ b/apparmor.d/android-studio @@ -33,6 +33,7 @@ profile android-studio @{exec_path} { include include include + include include # The following rules are needed only when the kernel.unprivileged_userns_clone option is set @@ -230,11 +231,6 @@ profile android-studio @{exec_path} { /dev/kvm rw, - /dev/bus/usb/ r, - /dev/bus/usb/[0-9]*/ r, - /dev/bus/usb/[0-9]*/[0-9]* rw, - - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/serial r, @{sys}/devices/virtual/block/**/rotational r, @@ -282,7 +278,10 @@ profile android-studio @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, owner @{HOME}/ r, diff --git a/apparmor.d/anki b/apparmor.d/anki index 33f9b7e5..406ddcca 100644 --- a/apparmor.d/anki +++ b/apparmor.d/anki @@ -185,6 +185,11 @@ profile anki @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/apt-key b/apparmor.d/apt-key index ae1a6709..768f01de 100644 --- a/apparmor.d/apt-key +++ b/apparmor.d/apt-key @@ -43,7 +43,11 @@ profile apt-key @{exec_path} { /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + # /{usr/,}bin/apt-config rPx, # For shell pwd diff --git a/apparmor.d/apt-listbugs b/apparmor.d/apt-listbugs index 681f4398..26d468a0 100644 --- a/apparmor.d/apt-listbugs +++ b/apparmor.d/apt-listbugs @@ -36,7 +36,10 @@ profile apt-listbugs @{exec_path} { /{usr/,}bin/logname rix, /{usr/,}bin/apt-config rPx, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, diff --git a/apparmor.d/apt-listchanges b/apparmor.d/apt-listchanges index b7d2b90e..88d3b92e 100644 --- a/apparmor.d/apt-listchanges +++ b/apparmor.d/apt-listchanges @@ -30,7 +30,11 @@ profile apt-listchanges @{exec_path} { /{usr/,}bin/tar rix, /{usr/,}bin/hostname rPx, - /{usr/,}bin/dpkg-deb rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-deb rpx, + # /{usr/,}bin/sensible-pager rCx -> pager, # Send results using email /{usr/,}sbin/exim4 rPx, diff --git a/apparmor.d/apt-systemd-daily b/apparmor.d/apt-systemd-daily index 76c218dd..8e597215 100644 --- a/apparmor.d/apt-systemd-daily +++ b/apparmor.d/apt-systemd-daily @@ -14,7 +14,7 @@ abi , include @{exec_path} = /{usr/,}lib/apt/apt.systemd.daily -profile apt-systemd-daily @{exec_path} { +profile apt-systemd-daily @{exec_path} flags=(complain) { include # Needed to remove the following error: @@ -55,6 +55,7 @@ profile apt-systemd-daily @{exec_path} { /var/lib/apt/daily_lock wk, /var/lib/apt/extended_states r, + /var/lib/apt/periodic/autoclean-stamp w, /var/backups/ r, /var/backups/apt.extended_states rw, diff --git a/apparmor.d/arduino b/apparmor.d/arduino index 3de6e9a9..59af9797 100644 --- a/apparmor.d/arduino +++ b/apparmor.d/arduino @@ -22,7 +22,7 @@ profile arduino @{exec_path} { include include include - include + include network inet dgram, network inet6 dgram, @@ -30,69 +30,63 @@ profile arduino @{exec_path} { network inet6 stream, network netlink raw, + ptrace (read) peer=arduino//open, + ptrace (read) peer=arduino-builder, + @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/id rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/groups rix, - - /{usr/,}bin/avr-g++ rix, - /{usr/,}bin/avr-gcc rix, - /{usr/,}bin/avr-size rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, /{usr/,}bin/avrdude rix, - /{usr/,}lib/gcc/avr/*/cc1plus rix, - /{usr/,}lib/gcc/avr/*/cc1 rix, - /{usr/,}lib/gcc/avr/*/collect2 rix, - /{usr/,}lib/avr/bin/as rix, - /{usr/,}lib/avr/bin/ar rix, - /{usr/,}lib/avr/bin/ld rix, - /{usr/,}lib/avr/bin/objcopy rix, /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/dpkg-architecture rPx, + /{usr/,}bin/arduino-builder rPx, + /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix, /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, /usr/share/java/*.jar r, /etc/java-[0-9]*-openjdk/** r, + /etc/ssl/certs/java/cacerts r, + owner @{HOME}/.java/fonts/*/ rw, owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw, owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw, - /usr/share/arduino/ r, - /usr/share/arduino/** r, + include + owner @{run}/user/[0-9]*/dconf/user rw, - /usr/share/doc/arduino-core/ r, - /usr/share/doc/arduino-core/** r, + /usr/share/arduino/{,**} r, + /usr/share/arduino-builder/{,**} r, + + /usr/share/doc/arduino/{,**} r, + /usr/share/doc/arduino-core/{,**} r, owner @{HOME}/ r, - owner @{HOME}/.arduino/ rw, - owner @{HOME}/.arduino/preferences.txt rw, - - owner @{HOME}/sketchbook/ rw, - owner @{HOME}/sketchbook/** rw, + owner @{HOME}/.arduino{,15}/{,**} rw, + owner @{HOME}/Arduino/{,**} rw, + owner @{HOME}/sketchbook/{,**} rw, owner @{HOME}/.Xauthority r, /tmp/ r, - owner /tmp/cc*.s rw, - owner /tmp/cc*.res rw, - owner /tmp/cc*.c rw, - owner /tmp/cc*.o rw, - owner /tmp/cc*.ld rw, - owner /tmp/cc*.le rw, + owner /tmp/cc*.{s,res,c,o,ld,le} rw, owner /tmp/hsperfdata_*/ rw, owner /tmp/hsperfdata_*/@{pid} rw, owner /tmp/untitled[0-9]*.tmp rw, - owner /tmp/untitled[0-9]*.tmp/ rw, - owner /tmp/untitled[0-9]*.tmp/sketch_*/ rw, - owner /tmp/untitled[0-9]*.tmp/sketch_*/sketch_*.ino rw, - owner /tmp/untitled[0-9]*.tmp/sketch_*/sketch_*.ino[0-9]*.tmp rw, + owner /tmp/untitled[0-9]*.tmp/{,**} rw, owner /tmp/console[0-9]*.tmp rw, - owner /tmp/console[0-9]*.tmp/ rw, - owner /tmp/console[0-9]*.tmp/stdout.txt rw, - owner /tmp/console[0-9]*.tmp/stderr.txt rw, + owner /tmp/console[0-9]*.tmp/{,**} rw, owner /tmp/build[0-9]*.tmp rw, - owner /tmp/build[0-9]*.tmp/ rw, - owner /tmp/build[0-9]*.tmp/* rw, + owner /tmp/build[0-9]*.tmp/{,**} rw, + owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, + owner /tmp/{library,package}_index.json*.tmp* rw, + owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, owner @{run}/lock/tmp* rw, owner @{run}/lock/LCK..ttyS[0-9]* rw, @@ -104,6 +98,9 @@ profile arduino @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, + # For java + @{PROC}/@{pids}/stat r, + # owner @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, @@ -113,12 +110,11 @@ profile arduino @{exec_path} { /etc/avrdude.conf r, @{sys}/fs/cgroup/** r, + @{sys}/class/tty/ r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r, - /dev/ r, /dev/ttyS[0-9]* rw, - /dev/bus/usb/ r, - /dev/bus/usb/[0-9]*/ r, - /dev/bus/usb/[0-9]*/[0-9]* rw, + /dev/ttyACM[0-9]* rw, # Silencer deny /usr/share/arduino/** w, @@ -130,9 +126,10 @@ profile arduino @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/gawk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, owner @{HOME}/ r, diff --git a/apparmor.d/arduino-builder b/apparmor.d/arduino-builder new file mode 100644 index 00000000..81597b05 --- /dev/null +++ b/apparmor.d/arduino-builder @@ -0,0 +1,56 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/arduino-builder +profile arduino-builder @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/ r, + /{usr/,}bin/avr-g++ rix, + /{usr/,}bin/avr-gcc rix, + /{usr/,}bin/avr-gcc-ar rix, + /{usr/,}bin/avr-size rix, + /{usr/,}bin/avrdude rix, + /{usr/,}lib/gcc/avr/[0-9]*/cc1plus rix, + /{usr/,}lib/gcc/avr/[0-9]*/cc1 rix, + /{usr/,}lib/gcc/avr/[0-9]*/collect2 rix, + /{usr/,}lib/gcc/avr/[0-9]*/lto-wrapper rix, + /{usr/,}lib/gcc/avr/[0-9]*/lto1 rix, + /{usr/,}lib/avr/bin/as rix, + /{usr/,}lib/avr/bin/ar rix, + /{usr/,}lib/avr/bin/ld rix, + /{usr/,}lib/avr/bin/objcopy rix, + + /{usr/,}bin/arduino-ctags rPx, + + /usr/share/arduino/{,**} r, + /usr/share/arduino-builder/{,**} r, + + /usr/share/doc/arduino/{,**} r, + + owner @{HOME}/Arduino/{,**} r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + /tmp/ r, + owner /tmp/cc* rw, + owner /tmp/untitled[0-9]*.tmp/{,**} rw, + owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, + owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, + + include if exists +} diff --git a/apparmor.d/arduino-ctags b/apparmor.d/arduino-ctags new file mode 100644 index 00000000..88d1fa3c --- /dev/null +++ b/apparmor.d/arduino-ctags @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/arduino-ctags +profile arduino-ctags @{exec_path} { + include + + @{exec_path} mr, + + owner /tmp/tags.* rw, + + owner /tmp/arduino_build_[0-9]*/** r, + + include if exists +} diff --git a/apparmor.d/at-spi-bus-launcher b/apparmor.d/at-spi-bus-launcher index 34fae1b0..0be37efd 100644 --- a/apparmor.d/at-spi-bus-launcher +++ b/apparmor.d/at-spi-bus-launcher @@ -18,7 +18,6 @@ include profile at-spi-bus-launcher @{exec_path} { include include - include include # Needed? @@ -40,6 +39,10 @@ profile at-spi-bus-launcher @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/atom b/apparmor.d/atom index 29aa7041..2869a0be 100644 --- a/apparmor.d/atom +++ b/apparmor.d/atom @@ -191,6 +191,11 @@ profile atom @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/birdtray b/apparmor.d/birdtray index f36668e6..c7f0cd1c 100644 --- a/apparmor.d/birdtray +++ b/apparmor.d/birdtray @@ -87,6 +87,11 @@ profile birdtray @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/brave b/apparmor.d/brave index ef2b18ce..7bfaa058 100644 --- a/apparmor.d/brave +++ b/apparmor.d/brave @@ -209,6 +209,11 @@ profile brave @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/calibre b/apparmor.d/calibre index fd807fc9..57cb06b1 100644 --- a/apparmor.d/calibre +++ b/apparmor.d/calibre @@ -46,6 +46,7 @@ profile calibre @{exec_path} { include include include + include include # The following rules are needed only when the kernel.unprivileged_userns_clone option is set @@ -142,25 +143,8 @@ profile calibre @{exec_path} { /{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, /usr/share/qt5/**.pak r, - # For sending books to a phone - /dev/bus/usb/ r, - /dev/bus/usb/** rw, - - @{sys}/class/ r, - @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{bDeviceClass,bcdDevice,manufacturer,product} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{idVendor,idProduct} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}serial r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{speed,descriptors,bConfigurationValue,interface} r, - @{sys}/devices/pci[0-9]*/**/irq r, - @{run}/udev/data/+usb* r, # - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /dev/shm/ r, /dev/shm/#[0-9]*[0-9] rw, owner /dev/shm/.org.chromium.Chromium.* rw, @@ -185,7 +169,10 @@ profile calibre @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, owner @{HOME}/ r, diff --git a/apparmor.d/cawbird b/apparmor.d/cawbird index 3d10ce74..e6755003 100644 --- a/apparmor.d/cawbird +++ b/apparmor.d/cawbird @@ -50,7 +50,8 @@ profile cawbird @{exec_path} { # This is needed as cawbird stores its settings in the dconf database. include - @{run}/user/[0-9]*/dconf/user rw, + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -76,6 +77,11 @@ profile cawbird @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/chage b/apparmor.d/chage index 14617da4..83c5dd9a 100644 --- a/apparmor.d/chage +++ b/apparmor.d/chage @@ -22,6 +22,8 @@ profile chage @{exec_path} { # To write records to the kernel auditing log. capability audit_write, + network netlink raw, + @{exec_path} mr, /etc/login.defs r, diff --git a/apparmor.d/check-support-status b/apparmor.d/check-support-status index 9d759789..fc3fc3a6 100644 --- a/apparmor.d/check-support-status +++ b/apparmor.d/check-support-status @@ -46,7 +46,11 @@ profile check-support-status @{exec_path} { /{usr/,}bin/envsubst rix, /{usr/,}bin/dirname rix, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/debconf-escape rCx -> debconf-escape, diff --git a/apparmor.d/child-dpkg b/apparmor.d/child-dpkg index 5d4d2f05..75912589 100644 --- a/apparmor.d/child-dpkg +++ b/apparmor.d/child-dpkg @@ -29,7 +29,10 @@ profile child-dpkg { /{usr/,}bin/dpkg mr, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, diff --git a/apparmor.d/child-lsb_release b/apparmor.d/child-lsb_release index 09906b4a..d72abb97 100644 --- a/apparmor.d/child-lsb_release +++ b/apparmor.d/child-lsb_release @@ -45,7 +45,11 @@ profile child-lsb_release { # /{usr/,}bin/sed ixr, # /{usr/,}bin/tr ixr, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/apt-cache rPx, /{usr/,}bin/ r, diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium index e12e24d7..e763a123 100644 --- a/apparmor.d/chromium-chromium +++ b/apparmor.d/chromium-chromium @@ -197,7 +197,10 @@ profile chromium-chromium @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, owner @{HOME}/ r, diff --git a/apparmor.d/colord b/apparmor.d/colord index 234bd5fa..4546abee 100644 --- a/apparmor.d/colord +++ b/apparmor.d/colord @@ -17,6 +17,7 @@ include profile colord @{exec_path} { include include + include network netlink raw, @@ -32,18 +33,11 @@ profile colord @{exec_path} { /usr/share/color/icc/{,**} r, - @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP}-*/{enabled,edid} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,bDeviceClass,removable} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/colord-sane b/apparmor.d/colord-sane index 8d2c041e..b71e6d27 100644 --- a/apparmor.d/colord-sane +++ b/apparmor.d/colord-sane @@ -17,6 +17,7 @@ include @{exec_path} += /usr/libexec/colord-sane profile colord-sane @{exec_path} flags=(complain) { include + include network netlink raw, @@ -31,17 +32,9 @@ profile colord-sane @{exec_path} flags=(complain) { /var/lib/snmp/{mib,cert}_indexes/ rw, /usr/share/snmp/mibs/{,*} r, - /dev/bus/usb/ r, - - @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, @{sys}/bus/scsi/devices/ r, - @{sys}/class/ r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,busnum,devnum,speed,descriptors} r, - @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # + @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, @{PROC}/sys/dev/parport/ r, diff --git a/apparmor.d/dbus-daemon b/apparmor.d/dbus-daemon index 1af982cc..fb51bf7e 100644 --- a/apparmor.d/dbus-daemon +++ b/apparmor.d/dbus-daemon @@ -16,6 +16,7 @@ include @{exec_path} = /{usr/,}bin/dbus-daemon profile dbus-daemon @{exec_path} { include + include include capability setgid, diff --git a/apparmor.d/debsums b/apparmor.d/debsums index 4c898b7e..0347e867 100644 --- a/apparmor.d/debsums +++ b/apparmor.d/debsums @@ -33,7 +33,11 @@ profile debsums @{exec_path} { /etc/locale.nopurge r, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + # /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, diff --git a/apparmor.d/discord b/apparmor.d/discord index 27bb01ac..9fecb4b4 100644 --- a/apparmor.d/discord +++ b/apparmor.d/discord @@ -199,6 +199,11 @@ profile discord @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/dpkg b/apparmor.d/dpkg index 5be5e4ef..101efaf6 100644 --- a/apparmor.d/dpkg +++ b/apparmor.d/dpkg @@ -37,11 +37,12 @@ profile dpkg @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/rm rix, - /{usr/,}bin/dpkg-query rPx, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/dpkg-deb rpx, + # /{usr/,}bin/dpkg-split rPx, /usr/share/debian-security-support/check-support-status.hook rPx, diff --git a/apparmor.d/dpkg-split b/apparmor.d/dpkg-split index fbb55ff4..bbc64bff 100644 --- a/apparmor.d/dpkg-split +++ b/apparmor.d/dpkg-split @@ -22,7 +22,10 @@ profile dpkg-split @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg-deb rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-deb rpx, /var/lib/dpkg/parts/ r, /var/lib/dpkg/parts/* r, diff --git a/apparmor.d/dropbox b/apparmor.d/dropbox index 95e1f55b..70bea173 100644 --- a/apparmor.d/dropbox +++ b/apparmor.d/dropbox @@ -135,6 +135,11 @@ profile dropbox @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa index 5800063b..4deba277 100644 --- a/apparmor.d/engrampa +++ b/apparmor.d/engrampa @@ -101,6 +101,11 @@ profile engrampa @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/firefox b/apparmor.d/firefox index 9cc63a49..2ccd4e05 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -201,6 +201,11 @@ profile firefox @{exec_path} { /{usr/,}bin/exo-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/firejail-default b/apparmor.d/firejail-default index aaf72597..ec87f1d2 100644 --- a/apparmor.d/firejail-default +++ b/apparmor.d/firejail-default @@ -4,7 +4,7 @@ # AppArmor 3.0 uses the @{run} variable in # and . -include +#include ########## # A simple PID declaration based on Ubuntu's @{pid} @@ -14,14 +14,14 @@ include ########## @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} -profile firejail-default flags=(attach_disconnected, complain, mediate_deleted) { +profile firejail-default flags=(attach_disconnected,mediate_deleted) { ########## # Allow D-Bus access. It may negatively affect security. Comment those lines or # use 'nodbus' option in profile if you don't need D-Bus functionality. ########## -include -include +#include +#include dbus, # Add rule in order to avoid dbus-*=filter breakage (#3432) owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, @@ -112,7 +112,8 @@ network inet6, network unix, network netlink, network raw, -# needed for wireshark +# needed for wireshark, tcpdump etc +network bluetooth, network packet, ########## @@ -161,5 +162,5 @@ capability setfcap, #capability mac_admin, # Site-specific additions and overrides. See local/README for details. -include +#include } diff --git a/apparmor.d/flameshot b/apparmor.d/flameshot index 3f34d6c9..adf08ad0 100644 --- a/apparmor.d/flameshot +++ b/apparmor.d/flameshot @@ -84,6 +84,11 @@ profile flameshot @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/freetube b/apparmor.d/freetube index ced88c82..096f9e14 100644 --- a/apparmor.d/freetube +++ b/apparmor.d/freetube @@ -132,6 +132,11 @@ profile freetube @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/frontend b/apparmor.d/frontend index 6d41c8dd..2640a990 100644 --- a/apparmor.d/frontend +++ b/apparmor.d/frontend @@ -123,7 +123,7 @@ profile frontend @{exec_path} flags=(complain) { @{sys}/ r, @{sys}/**/ r, @{run}/ r, - @{run}/** r, + @{run}/** rw, /tmp/ r, owner /tmp/** rw, diff --git a/apparmor.d/geany b/apparmor.d/geany index b70a7e9c..36b1d9e5 100644 --- a/apparmor.d/geany +++ b/apparmor.d/geany @@ -34,8 +34,10 @@ profile geany @{exec_path} { @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, + # For the sorting feature - /{usr/,}bin/sort rix, + /{usr/,}bin/sort rix, # When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following # root processes: diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome index 609c2dc6..10797841 100644 --- a/apparmor.d/google-chrome-chrome +++ b/apparmor.d/google-chrome-chrome @@ -192,6 +192,11 @@ profile google-chrome-chrome @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/gpartedbin b/apparmor.d/gpartedbin index 98fdb1f5..e241d52b 100644 --- a/apparmor.d/gpartedbin +++ b/apparmor.d/gpartedbin @@ -217,6 +217,11 @@ profile gpartedbin @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/gpodder b/apparmor.d/gpodder index 6dd62c79..91a3fb8f 100644 --- a/apparmor.d/gpodder +++ b/apparmor.d/gpodder @@ -84,6 +84,11 @@ profile gpodder @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/gtk-youtube-viewer b/apparmor.d/gtk-youtube-viewer index fe2ca205..2fb3b47a 100644 --- a/apparmor.d/gtk-youtube-viewer +++ b/apparmor.d/gtk-youtube-viewer @@ -108,6 +108,11 @@ profile gtk-youtube-viewer @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/hardinfo b/apparmor.d/hardinfo index 1532e7a3..ac9222a5 100644 --- a/apparmor.d/hardinfo +++ b/apparmor.d/hardinfo @@ -168,6 +168,11 @@ profile hardinfo @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/inxi b/apparmor.d/inxi index 1dc7bdd8..1e7b9a8c 100644 --- a/apparmor.d/inxi +++ b/apparmor.d/inxi @@ -45,7 +45,10 @@ profile inxi @{exec_path} { /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/compton rPx, /{usr/,}bin/xrandr rPx, diff --git a/apparmor.d/jdownloader b/apparmor.d/jdownloader index 7f82eb3e..4558ab46 100644 --- a/apparmor.d/jdownloader +++ b/apparmor.d/jdownloader @@ -112,6 +112,11 @@ profile jdownloader @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc index bb4ddac2..ddfdc410 100644 --- a/apparmor.d/keepassxc +++ b/apparmor.d/keepassxc @@ -31,6 +31,7 @@ profile keepassxc @{exec_path} { include include include + include include network inet dgram, @@ -90,16 +91,6 @@ profile keepassxc @{exec_path} { /etc/fstab r, - @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/class/ r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,speed,descriptors} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # - - /dev/bus/usb/ r, /dev/shm/#[0-9]*[0-9] rw, # For browser integration @@ -133,6 +124,11 @@ profile keepassxc @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/kodi b/apparmor.d/kodi index 46786b1b..13db35e9 100644 --- a/apparmor.d/kodi +++ b/apparmor.d/kodi @@ -79,8 +79,8 @@ profile kodi @{exec_path} { @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{bDeviceClass,idProduct,idVendor} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{bDeviceClass,idProduct,idVendor} r, - @{sys}/devices/system/node/node0/meminfo r, @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r, diff --git a/apparmor.d/labwc b/apparmor.d/labwc index dd7d95af..3c06435e 100644 --- a/apparmor.d/labwc +++ b/apparmor.d/labwc @@ -26,6 +26,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -49,8 +50,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) { owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, - @{sys}/bus/ r, - @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/input/ r, @{sys}/devices/pci[0-9]*/**/boot_vga r, @@ -62,11 +61,9 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+acpi* r, # for ? @{run}/udev/data/+hid* r, # for HID-Compliant Keyboard @{run}/udev/data/+pci* r, # for VGA compatible controller - @{run}/udev/data/+usb* r, # for USB mouse and keyboard @{run}/udev/data/+sound:card* r, # for sound @{run}/udev/data/+serio* r, # for touchpad? @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{run}/systemd/sessions/[0-9]* r, diff --git a/apparmor.d/lsb_release b/apparmor.d/lsb_release index 56e4adea..c32357e3 100644 --- a/apparmor.d/lsb_release +++ b/apparmor.d/lsb_release @@ -24,7 +24,10 @@ profile lsb_release @{exec_path} { /{usr/,}bin/ r, /{usr/,}bin/apt-cache rPx, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, /etc/lsb-release r, /etc/debian_version r, diff --git a/apparmor.d/lsusb b/apparmor.d/lsusb index 053f6ff9..fdb2bb55 100644 --- a/apparmor.d/lsusb +++ b/apparmor.d/lsusb @@ -16,23 +16,13 @@ include @{exec_path} = /{usr/,}bin/lsusb profile lsusb @{exec_path} { include + include + include network netlink raw, @{exec_path} mr, - /dev/bus/usb/ r, - /dev/bus/usb/** rw, - - @{sys}/class/ r, - @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, - - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r, - - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # - /etc/udev/hwdb.bin r, include if exists diff --git a/apparmor.d/megasync b/apparmor.d/megasync index 7700b59c..35fac814 100644 --- a/apparmor.d/megasync +++ b/apparmor.d/megasync @@ -102,6 +102,11 @@ profile megasync @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner "@{HOME}/.local/share/data/Mega Limited/MEGAsync/" r, diff --git a/apparmor.d/minitube b/apparmor.d/minitube index 8a0cf7af..ff7387b3 100644 --- a/apparmor.d/minitube +++ b/apparmor.d/minitube @@ -112,6 +112,11 @@ profile minitube @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/mumble b/apparmor.d/mumble index 5c665d52..577aaf66 100644 --- a/apparmor.d/mumble +++ b/apparmor.d/mumble @@ -91,6 +91,11 @@ profile mumble @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/okular b/apparmor.d/okular index a5ad5dac..ae447a6b 100644 --- a/apparmor.d/okular +++ b/apparmor.d/okular @@ -109,6 +109,11 @@ profile okular @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/opera b/apparmor.d/opera index 7d9c1e3b..6db15073 100644 --- a/apparmor.d/opera +++ b/apparmor.d/opera @@ -189,6 +189,11 @@ profile opera @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/orage b/apparmor.d/orage index bd806269..2a8b01be 100644 --- a/apparmor.d/orage +++ b/apparmor.d/orage @@ -58,6 +58,11 @@ profile orage @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/pcb-gtk b/apparmor.d/pcb-gtk new file mode 100644 index 00000000..a8fc202c --- /dev/null +++ b/apparmor.d/pcb-gtk @@ -0,0 +1,51 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/pcb-gtk +profile pcb-gtk @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/pcb/ListLibraryContents.sh rix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/tr rix, + + /usr/share/pcb/ r, + /usr/share/pcb/** r, + + owner @{HOME}/.pcb/ rw, + owner @{HOME}/.pcb/preferences rw, + + owner @{HOME}/PCB.[0-9]*.backup rw, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + include if exists +} diff --git a/apparmor.d/popularity-contest b/apparmor.d/popularity-contest index 681c9594..91a3e873 100644 --- a/apparmor.d/popularity-contest +++ b/apparmor.d/popularity-contest @@ -34,7 +34,11 @@ profile popularity-contest @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/env rix, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + # /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus index c8cafe80..76fb629b 100644 --- a/apparmor.d/psi-plus +++ b/apparmor.d/psi-plus @@ -147,6 +147,11 @@ profile psi-plus @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/qbittorrent b/apparmor.d/qbittorrent index af7e31a7..a349c4ba 100644 --- a/apparmor.d/qbittorrent +++ b/apparmor.d/qbittorrent @@ -159,6 +159,9 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, owner @{HOME}/ r, diff --git a/apparmor.d/qnapi b/apparmor.d/qnapi index 48679277..c609dbd6 100644 --- a/apparmor.d/qnapi +++ b/apparmor.d/qnapi @@ -136,6 +136,11 @@ profile qnapi @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/qpdfview b/apparmor.d/qpdfview index 99131d94..be6b0940 100644 --- a/apparmor.d/qpdfview +++ b/apparmor.d/qpdfview @@ -54,7 +54,7 @@ profile qpdfview @{exec_path} { owner /media/**/ r, /tmp/ r, /tmp/mozilla_*/ r, - owner /{home,media,tmp/mozilla_*}/**.@{qpdfview_ext} rw, + owner /{home,media,tmp,tmp/mozilla_*}/**.@{qpdfview_ext} rw, owner @{HOME}/.config/qpdfview/ rw, owner @{HOME}/.config/qpdfview/* rwkl -> @{HOME}/.config/qpdfview/#[0-9]*[0-9], @@ -109,6 +109,11 @@ profile qpdfview @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/querybts b/apparmor.d/querybts index 12cf7650..55e4c45d 100644 --- a/apparmor.d/querybts +++ b/apparmor.d/querybts @@ -70,6 +70,11 @@ profile querybts @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss index 5422f93f..5caa2b62 100644 --- a/apparmor.d/quiterss +++ b/apparmor.d/quiterss @@ -102,6 +102,11 @@ profile quiterss @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/reportbug b/apparmor.d/reportbug index d24669ed..1c29f062 100644 --- a/apparmor.d/reportbug +++ b/apparmor.d/reportbug @@ -54,7 +54,11 @@ profile reportbug @{exec_path} { /{usr/,}bin/debsums rPx, /{usr/,}bin/dlocate rPx, /{usr/,}bin/apt-cache rPx, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + # /{usr/,}sbin/exim4 rPx, /{usr/,}bin/lsb_release rPx -> child-lsb_release, @@ -127,6 +131,11 @@ profile reportbug @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/scdaemon b/apparmor.d/scdaemon index a18eee3f..c4e01882 100644 --- a/apparmor.d/scdaemon +++ b/apparmor.d/scdaemon @@ -16,6 +16,7 @@ include @{exec_path} = /{usr/,}lib/gnupg/scdaemon profile scdaemon @{exec_path} { include + include network netlink raw, @@ -27,14 +28,7 @@ profile scdaemon @{exec_path} { @{PROC}/@{pid}/task/@{tid}/comm rw, - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # - - /dev/bus/usb/ r, - @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/class/ r, - @{sys}/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent,bConfigurationValue} r, + @{sys}/devices/pci[0-9]*/**/bConfigurationValue r, include if exists } diff --git a/apparmor.d/smtube b/apparmor.d/smtube index 728f0730..a3696573 100644 --- a/apparmor.d/smtube +++ b/apparmor.d/smtube @@ -98,6 +98,11 @@ profile smtube @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index e035d4a8..7e254ebf 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -129,6 +129,11 @@ profile strawberry @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/syncthing b/apparmor.d/syncthing index 242ad2a6..5b404dcd 100644 --- a/apparmor.d/syncthing +++ b/apparmor.d/syncthing @@ -55,6 +55,11 @@ profile syncthing @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/system-config-printer b/apparmor.d/system-config-printer index 584db5fe..279578ea 100644 --- a/apparmor.d/system-config-printer +++ b/apparmor.d/system-config-printer @@ -13,8 +13,9 @@ abi , include -@{exec_path} = /{usr/,}bin/system-config-printer /usr/share/system-config-printer/system-config-printer.py -profile system-config-printer @{exec_path} { +@{exec_path} = /{usr/,}bin/system-config-printer +@{exec_path} += /usr/share/system-config-printer/system-config-printer.py +profile system-config-printer @{exec_path} flags=(complain) { include include include @@ -23,7 +24,6 @@ profile system-config-printer @{exec_path} { include include include - include include network inet stream, @@ -34,23 +34,55 @@ profile system-config-printer @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, + /{usr/,}lib/cups/*/* rCx -> cups, + + # For HP printers + /usr/share/hplip/query.py rPUx, + /usr/share/system-config-printer/{,**} r, + /usr/share/cups/data/testprint r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/fstab r, + + /etc/cups/cupsd.conf r, + + /etc/cupshelpers/preferreddrivers.xml r, + + /etc/papersize r, + + # To set the default printer + owner @{HOME}/.cups/ rw, + owner @{HOME}/.cups/lpoptions rw, + + owner /tmp/* rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, - /etc/fstab r, - - /etc/cups/cupsd.conf r, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - owner /tmp/* rw, + include + @{run}/user/[0-9]*/dconf/ rw, + @{run}/user/[0-9]*/dconf/user rw, # file_inherit owner /dev/tty[0-9]* rw, + + profile cups flags=(complain) { + include + + network inet dgram, + network inet6 dgram, + + /{usr/,}lib/cups/*/* mr, + + /etc/cups/snmp.conf r, + + } + include if exists } diff --git a/apparmor.d/tasksel b/apparmor.d/tasksel index fbef98ac..790eb1a8 100644 --- a/apparmor.d/tasksel +++ b/apparmor.d/tasksel @@ -31,7 +31,11 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/debconf/frontend rPx, #/usr/share/debconf/frontend rCx -> frontend, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + # /{usr/,}bin/apt-cache rPx, /{usr/,}bin/debconf-apt-progress rPx, diff --git a/apparmor.d/telegram-desktop b/apparmor.d/telegram-desktop index 73b3c1a1..3719be9b 100644 --- a/apparmor.d/telegram-desktop +++ b/apparmor.d/telegram-desktop @@ -45,6 +45,8 @@ profile telegram-desktop @{exec_path} { @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, + # Launch external apps /{usr/,}bin/xdg-open rCx -> open, @@ -66,6 +68,7 @@ profile telegram-desktop @{exec_path} { /dev/shm/#[0-9]*[0-9] rw, + owner @{PROC}/@{pid}/fd/ r, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -97,7 +100,10 @@ profile telegram-desktop @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, owner @{TELEGRAM_WORK_DIR}/ r, diff --git a/apparmor.d/thinkfan b/apparmor.d/thinkfan index c1d9d0bb..32cd4ae8 100644 --- a/apparmor.d/thinkfan +++ b/apparmor.d/thinkfan @@ -20,6 +20,7 @@ profile thinkfan @{exec_path} { @{exec_path} mr, /etc/thinkfan.conf r, + /etc/thinkfan.yaml r, @{sys}/devices/platform/**/hwmon/**/pwm[0-9]* rw, @{sys}/devices/platform/**/hwmon/**/pwm[0-9]*_enable rw, diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird index 21b2e94d..f59a359d 100644 --- a/apparmor.d/thunderbird +++ b/apparmor.d/thunderbird @@ -254,6 +254,11 @@ profile thunderbird @{exec_path} { /{usr/,}bin/exo-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/ucf b/apparmor.d/ucf index 08518c8e..8d25e496 100644 --- a/apparmor.d/ucf +++ b/apparmor.d/ucf @@ -41,7 +41,11 @@ profile ucf @{exec_path} flags=(complain) { /{usr/,}bin/dirname rix, /{usr/,}bin/stat rix, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + # /{usr/,}bin/dpkg-divert rPx, /{usr/,}bin/sensible-pager rCx -> pager, diff --git a/apparmor.d/udevadm b/apparmor.d/udevadm index 6b9794db..c1589377 100644 --- a/apparmor.d/udevadm +++ b/apparmor.d/udevadm @@ -40,8 +40,12 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/chgrp rix, - /{usr/,}bin/chmod rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/chgrp rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/setfacl rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/nohup rix, /{usr/,}sbin/* rPUx, @@ -49,6 +53,8 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) { /{usr/,}lib/systemd/systemd-* rPUx, /{usr/,}lib/crda/* rPUx, + /usr/share/hplip/config_usb_printer.py rPUx, + /etc/console-setup/*.sh rPUx, /etc/default/* r, @@ -79,6 +85,7 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) { /dev/ rw, /dev/** rwk, + owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/udiskie b/apparmor.d/udiskie index 5503adac..7155d463 100644 --- a/apparmor.d/udiskie +++ b/apparmor.d/udiskie @@ -59,6 +59,11 @@ profile udiskie @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/uname b/apparmor.d/uname index 85923f29..d406d67c 100644 --- a/apparmor.d/uname +++ b/apparmor.d/uname @@ -20,6 +20,8 @@ profile uname @{exec_path} { @{exec_path} mr, + owner /tmp/mktexlsr.* rw, + # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/update-ca-certificates b/apparmor.d/update-ca-certificates index cf89787a..562fbe40 100644 --- a/apparmor.d/update-ca-certificates +++ b/apparmor.d/update-ca-certificates @@ -90,7 +90,11 @@ profile update-ca-certificates @{exec_path} { /{usr/,}bin/sed rix, /{usr/,}bin/head rix, /{usr/,}bin/mountpoint rix, - /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-query rpx, + # /{usr/,}bin/dpkg rPx -> child-dpkg, /usr/share/ca-certificates-java/ca-certificates-java.jar r, diff --git a/apparmor.d/upowerd b/apparmor.d/upowerd index 1be954c0..de3bf57e 100644 --- a/apparmor.d/upowerd +++ b/apparmor.d/upowerd @@ -16,6 +16,7 @@ include @{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd profile upowerd @{exec_path} { include + include network netlink raw, @@ -30,12 +31,8 @@ profile upowerd @{exec_path} { /var/lib/upower/history-*.dat{,.*} rw, # Are all of these needed? (#FIXME#) - /dev/bus/usb/ r, /dev/input/event* r, - @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, @{sys}/bus/hid/devices/ r, - @{sys}/class/ r, @{sys}/class/leds/ r, @{sys}/class/power_supply/ r, @{sys}/class/input/ r, @@ -43,7 +40,6 @@ profile upowerd @{exec_path} { @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, @{sys}/devices/**/capabilities/* r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum,speed,descriptors} r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/platform/**/leds/**/max_brightness r, @@ -53,10 +49,8 @@ profile upowerd @{exec_path} { @{run}/udev/data/ r, @{run}/udev/data/+power_supply* r, @{run}/udev/data/+input* r, - @{run}/udev/data/+usb* r, @{run}/udev/data/+hid* r, @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/usb-devices b/apparmor.d/usb-devices index 1c213a78..1e85eb66 100644 --- a/apparmor.d/usb-devices +++ b/apparmor.d/usb-devices @@ -16,6 +16,7 @@ include @{exec_path} = /{usr/,}bin/usb-devices profile usb-devices @{exec_path} { include + include @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, @@ -26,11 +27,6 @@ profile usb-devices @{exec_path} { /{usr/,}bin/basename rix, /{usr/,}bin/readlink rix, - @{sys}/bus/ r, - @{sys}/bus/usb/devices/ r, - - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r, - # For shell pwd /root/ r, diff --git a/apparmor.d/usbguard b/apparmor.d/usbguard index 44f414f7..c84d712b 100644 --- a/apparmor.d/usbguard +++ b/apparmor.d/usbguard @@ -17,6 +17,10 @@ include profile usbguard @{exec_path} { include include + include + + # Needed to create policy (usbguard generate-policy) + network netlink dgram, @{exec_path} mr, @@ -27,11 +31,7 @@ profile usbguard @{exec_path} { /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw, # For "usbguard generate-policy" - @{sys}/bus/usb/devices/{,**} r, - @{sys}/devices/pci[0-9]*/**/uevent rw, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{authorized_default,authorized,remove} rw, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r, + @{sys}/devices/pci[0-9]*/**/uevent r, include if exists } diff --git a/apparmor.d/usbguard-daemon b/apparmor.d/usbguard-daemon index 538da368..690d3ce4 100644 --- a/apparmor.d/usbguard-daemon +++ b/apparmor.d/usbguard-daemon @@ -17,6 +17,7 @@ include profile usbguard-daemon @{exec_path} { include include + include # Needed? (##FIXME##) #capability chown, @@ -38,11 +39,7 @@ profile usbguard-daemon @{exec_path} { /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/ rw, /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw, - @{sys}/bus/usb/devices/{,**} r, - @{sys}/devices/pci[0-9]*/**/uevent rw, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{authorized_default,authorized,remove} rw, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r, + @{sys}/devices/pci[0-9]*/**/uevent r, include if exists } diff --git a/apparmor.d/usermod b/apparmor.d/usermod index a35913bb..68995351 100644 --- a/apparmor.d/usermod +++ b/apparmor.d/usermod @@ -37,6 +37,8 @@ profile usermod @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, ptrace (read), + network netlink raw, + @{exec_path} mr, /etc/login.defs r, diff --git a/apparmor.d/usr.sbin.cupsd b/apparmor.d/usr.sbin.cupsd index f30cba71..4b631b7b 100644 --- a/apparmor.d/usr.sbin.cupsd +++ b/apparmor.d/usr.sbin.cupsd @@ -2,17 +2,17 @@ # Last Modified: Thu Aug 2 12:54:46 2007 # Author: Martin Pitt -include +#include /usr/sbin/cupsd flags=(attach_disconnected) { - include - include - include - include - include - include - include - include + #include + #include + #include + #include + #include + #include + #include + #include capability chown, capability fowner, @@ -47,6 +47,11 @@ include network econet dgram, network ash dgram, + # CUPS is of systemd service type "notify" now, meaning that cupsd notifies + # systemd when it is up and running, give CUPS access to systemd's + # notification socket + /run/systemd/notify w, + /{usr/,}bin/bash ixr, /{usr/,}bin/dash ixr, /{usr/,}bin/hostname ixr, @@ -169,15 +174,15 @@ include } # Site-specific additions and overrides. See local/README for details. - include + #include } # separate profile since this needs to write into /home /usr/lib/cups/backend/cups-pdf { - include - include - include - include + #include + #include + #include + #include capability chown, capability fowner, @@ -211,7 +216,7 @@ include # allow read and write on almost anything in @{HOME} (lenient, but # private-files-strict is in effect), to support customized "Out" # setting in cups-pdf.conf (Debian#940578) - include + #include @{HOME}/[^.]*/{,**/} rw, @{HOME}/[^.]*/** rw, } diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd index 1badcca2..60829ee0 100644 --- a/apparmor.d/usr.sbin.libvirtd +++ b/apparmor.d/usr.sbin.libvirtd @@ -1,9 +1,9 @@ -include +#include @{LIBVIRT}="libvirt" profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { - include - include + #include + #include capability kill, capability net_admin, @@ -115,7 +115,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { - include + #include capability setuid, capability setgid, @@ -137,5 +137,5 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { } # Site-specific additions and overrides. See local/README for details. - include + #include } diff --git a/apparmor.d/usr.sbin.ntpd b/apparmor.d/usr.sbin.ntpd index b54a35e1..3ab64d74 100644 --- a/apparmor.d/usr.sbin.ntpd +++ b/apparmor.d/usr.sbin.ntpd @@ -11,13 +11,13 @@ # # ------------------------------------------------------------------ -include -include +#include +#include /usr/sbin/ntpd flags=(attach_disconnected) { - include - include - include - include + #include + #include + #include + #include capability ipc_lock, capability net_admin, @@ -70,7 +70,7 @@ include /var/log/ntpsec/protostats* rwl, /var/log/ntpsec/rawstats* rwl, /var/log/ntpsec/sysstats* rwl, - /var/log/ntpsec/usestats.* rwl, + /var/log/ntpsec/usestats* rwl, /{,var/}run/ntpd.pid w, @@ -87,5 +87,5 @@ include # capability ipc_owner, # Site-specific additions and overrides. See local/README for details. - include + #include } diff --git a/apparmor.d/vidcutter b/apparmor.d/vidcutter index 485688cb..8fe13e6e 100644 --- a/apparmor.d/vidcutter +++ b/apparmor.d/vidcutter @@ -145,6 +145,11 @@ profile vidcutter @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager index 745094b3..4c6c65b8 100644 --- a/apparmor.d/virt-manager +++ b/apparmor.d/virt-manager @@ -32,6 +32,7 @@ profile virt-manager @{exec_path} { include include include + include include network inet stream, @@ -91,20 +92,6 @@ profile virt-manager @{exec_path} { owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/route r, - /dev/ r, - - # For USB devices - /dev/bus/usb/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{busnum,devnum,speed,descriptors} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/uevent r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{busnum,devnum,speed,descriptors} r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** r, - @{sys}/devices/pci[0-9]*/**/drm/ r, /etc/fstab r, diff --git a/apparmor.d/vlc b/apparmor.d/vlc index 791b7b7e..751d9c7c 100644 --- a/apparmor.d/vlc +++ b/apparmor.d/vlc @@ -75,6 +75,7 @@ profile vlc @{exec_path} { include include include + include include signal (receive) set=(term, kill) peer=anyremote//*, @@ -130,17 +131,10 @@ profile vlc @{exec_path} { @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,speed} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, @{run}/udev/data/b254:[0-9]* r, # for /dev/zram* @{run}/udev/data/b253:[0-9]* r, # for /dev/dm* @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for ? - - /dev/ r, - /dev/bus/usb/ r, /etc/fstab r, diff --git a/apparmor.d/wireshark b/apparmor.d/wireshark index 82636c48..713bf37e 100644 --- a/apparmor.d/wireshark +++ b/apparmor.d/wireshark @@ -100,6 +100,11 @@ profile wireshark @{exec_path} { /{usr/,}bin/xdg-open mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, diff --git a/apparmor.d/xarchiver b/apparmor.d/xarchiver index 687a36b1..6b444b3e 100644 --- a/apparmor.d/xarchiver +++ b/apparmor.d/xarchiver @@ -86,7 +86,10 @@ profile xarchiver @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, owner @{HOME}/ r,