From 1042728ca640de9275c96c516b32d7ee36809020 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Mar 2023 15:35:59 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apps/vlc | 4 ++-- apparmor.d/groups/gnome/gsd-media-keys | 1 + apparmor.d/groups/gnome/gsd-power | 3 ++- apparmor.d/groups/gnome/tracker-extract | 1 + apparmor.d/groups/systemd/coredumpctl | 2 -- apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/systemd/systemd-userdbd | 2 +- apparmor.d/groups/virt/cockpit-pcp | 2 ++ apparmor.d/groups/virt/docker-proxy | 3 +++ apparmor.d/profiles-a-f/aa-log | 1 + apparmor.d/profiles-a-f/blueman | 3 ++- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/spice-vdagent | 7 ++++--- apparmor.d/profiles-s-z/steam-game | 1 + apparmor.d/profiles-s-z/swapon | 7 ++++--- 15 files changed, 26 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index 72260997..b321a4a7 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -26,14 +26,14 @@ profile vlc @{exec_path} { include include - signal (receive) set=(term, kill) peer=anyremote//*, - network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + signal (receive) set=(term, kill) peer=anyremote//*, + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName,GetConnectionUnixProcessID} diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 833ad68a..3906e6dc 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -14,6 +14,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 3bce7049..299de5cd 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,10 +10,11 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include - include include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index f7e68314..44f63542 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -112,6 +112,7 @@ profile tracker-extract @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/dri/card[0-9]* rw, /dev/dri/renderD128 rw, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index a1ddedef..22612714 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -67,8 +67,6 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - # Silencer - deny /usr/share/** w, } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 99905509..11f3e48c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -89,6 +89,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { @{run}/udev/** rwk, @{run}/systemd/network/ r, + @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, @{run}/systemd/seats/seat[0-9]* r, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 59e3dc23..a74e59a4 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -23,7 +23,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}lib/systemd/systemd-userwork rPx, + /{usr/,}lib/systemd/systemd-userwork rix, /etc/shadow r, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp index 19cd3c9c..ee17cbc2 100644 --- a/apparmor.d/groups/virt/cockpit-pcp +++ b/apparmor.d/groups/virt/cockpit-pcp @@ -26,6 +26,8 @@ profile cockpit-pcp @{exec_path} { /var/lib/pcp/{,**} rw, + /var/log/pcp/pmlogger/ r, + @{PROC}/diskstats r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index f9295420..54f66d66 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -12,6 +12,9 @@ profile docker-proxy @{exec_path} { capability net_admin, + network inet stream, + network inet6 stream, + @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index a223f2dd..e34b00d9 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -19,6 +19,7 @@ profile aa-log @{exec_path} { /var/lib/dbus/machine-id r, /var/log/audit/* r, + /var/log/syslog* r, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex}/{,*} r, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 1b38fffd..620cae5e 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -16,13 +16,14 @@ profile blueman @{exec_path} flags=(attach_disconnected) { include include include + include include include include network inet stream, network inet6 stream, - + network netlink raw, network bluetooth raw, ptrace (read) peer=gjs-console, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 0c099850..9e10af0e 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -13,8 +13,8 @@ profile pass @{exec_path} { @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/base64 rix, - /{usr/,}bin/bash rix, /{usr/,}bin/cat rix, /{usr/,}bin/cp rix, /{usr/,}bin/diff rix, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 768a080e..8b9b6068 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -10,8 +10,9 @@ include profile spice-vdagent @{exec_path} { include include - include include + include + include include include include @@ -56,9 +57,9 @@ profile spice-vdagent @{exec_path} { @{sys}/devices/pci[0-9]*/**/{device,vendor} r, - /dev/dri/card[0-9]* rw, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, + /dev/dri/card[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index f84f6774..94e3f0e1 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -205,6 +205,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{sys}/class/input/ r, @{sys}/class/sound/ r, @{sys}/devices/**/input[0-9]*/ r, + @{sys}/devices/**/input[0-9]*/**/{vendor,product} r, @{sys}/devices/**/input[0-9]*/capabilities/* r, @{sys}/devices/**/input/input[0-9]*/ r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/profiles-s-z/swapon index f3411a3f..5ffeac7c 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/profiles-s-z/swapon @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,10 +18,10 @@ profile swapon @{exec_path} { /etc/fstab r, - @{PROC}/swaps r, - - # SWAP file common locations owner /swapfile rw, + owner /swap/swapfile rw, + + @{PROC}/swaps r, include if exists }