From 11617131ce586fc74baf48646f3c3b53237685a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Jul 2023 14:09:25 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/abstractions/nvidia.d/complete | 4 ++- apparmor.d/groups/cron/cron | 5 ++-- apparmor.d/groups/freedesktop/xorg | 3 +- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/kde/drkonqi | 4 ++- apparmor.d/groups/kde/kcminit | 3 ++ apparmor.d/groups/kde/kioslave5 | 6 ++++ apparmor.d/groups/kde/ksmserver | 3 +- apparmor.d/groups/kde/plasma-discover | 6 ++++ apparmor.d/groups/kde/plasmashell | 34 ++++++++++++----------- apparmor.d/groups/network/nm-dispatcher | 2 ++ apparmor.d/profiles-a-f/aa-log | 2 ++ apparmor.d/profiles-a-f/bluetoothd | 2 ++ apparmor.d/profiles-s-z/xauth | 5 +++- 14 files changed, 57 insertions(+), 23 deletions(-) diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index 499d75ab..f879e06f 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -2,8 +2,10 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"), + owner @{HOME}/.nv/nvidia-application-profiles* r, /etc/nvidia/nvidia-application-profiles* r, - unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"), + /dev/char/195:[0-9]* rw, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 7d88d5a0..8ab18f85 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -46,8 +46,9 @@ profile cron @{exec_path} flags=(attach_disconnected) { /var/spool/cron/crontabs/{,*} r, /var/spool/cron/tabs/{,*} r, - @{run}/crond.pid rwk, - @{run}/crond.reboot rw, + owner @{run}/cron.pid rwk, + owner @{run}/cron.reboot rw, + @{run}/systemd/sessions/*.ref rw, owner /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 4d7c3be2..4cdf6e6e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -28,10 +28,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, capability sys_admin, + capability sys_rawio, # These can be denied? #audit capability dac_override, - #audit capability sys_rawio, #audit capability sys_nice, #capability sys_tty_config, @@ -139,6 +139,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, + /dev/fb[0-9] rw, /dev/input/event[0-9]* rw, /dev/shm/#[0-9]*[0-9] rw, /dev/shm/shmfd-* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 731dbc03..cad59c62 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -590,6 +590,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, + owner @{run}/user//@{uid}/wayland-[0-9]* rwk, owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index c1916c36..c61c7a46 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -9,8 +9,9 @@ include @{exec_path} = @{libexec}/drkonqi profile drkonqi @{exec_path} { include - include + include include + include network inet stream, network inet6 stream, @@ -18,6 +19,7 @@ profile drkonqi @{exec_path} { @{exec_path} mr, + /usr/share/drkonqi/{,**} r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, @{run}/user/@{uid}/xauth_* rl, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 4ae1d6d3..62fe69f5 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -25,6 +25,8 @@ profile kcminit @{exec_path} { /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, + owner @{HOME}/.Xdefaults r, + owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl, owner @{user_config_dirs}/gtkrc{,.??????} rwl, @@ -33,6 +35,7 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kgammarc r, + owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl, diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 index a22063d8..b56d0f54 100644 --- a/apparmor.d/groups/kde/kioslave5 +++ b/apparmor.d/groups/kde/kioslave5 @@ -14,9 +14,14 @@ profile kioslave5 @{exec_path} { include include include + include include include + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, network netlink raw, signal (receive) set=term peer=plasmashell, @@ -25,6 +30,7 @@ profile kioslave5 @{exec_path} { @{libexec}/libheif/ r, @{libexec}/libheif/*.so* rm, + @{libexec}/kf5/kio_http_cache_cleaner rPx, /usr/share/hwdata/*.ids r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 6d3a5cb4..a2a087bc 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -24,8 +24,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /{usr/,}bin/rm rix, - @{libexec}/kscreenlocker_greet rPx, @{libexec}/DiscoverNotifier rPUx, # TODO: rPx, + @{libexec}/drkonqi rPx, + @{libexec}/kscreenlocker_greet rPx, /usr/share/color-schemes/{,**} r, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 56a24cdf..054c2440 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -11,6 +11,7 @@ profile plasma-discover @{exec_path} { include include include + include include network inet dgram, @@ -21,9 +22,14 @@ profile plasma-discover @{exec_path} { @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/kreadconfig5 rPx, + @{libexec}/kf5/kioslave5 rPx, @{libexec}/kf5/kio_http_cache_cleaner rPx, + /usr/share/kservices5/{,*} r, + /etc/appstream.conf r, /etc/machine-id r, /etc/flatpak/remotes.d/{,**} r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 9588e413..7ddb3289 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -23,7 +23,7 @@ profile plasmashell @{exec_path} { include include include - include + # include include include @@ -47,20 +47,21 @@ profile plasmashell @{exec_path} { /{usr/,}bin/dolphin rPUx, # TODO: rPx, /{usr/,}bin/plasma-discover rPUx, - /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + /usr/share/akonadi/firstrun/{,*} r, + /usr/share/akonadi/plugins/serializer/{,*.desktop} r, + /usr/share/desktop-directories/kf5-*.directory r, /usr/share/hwdata/*.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + /usr/share/knotifications5/*.notifyrc r, + /usr/share/konsole/ r, + /usr/share/krunner/{,**} r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/lshw/artwork/logo.svg r, /usr/share/mime/{,**} r, /usr/share/plasma/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/wallpapers/{,**} r, - /usr/share/krunner/{,**} r, - /usr/share/konsole/ r, - /usr/share/akonadi/firstrun/{,*} r, - /usr/share/lshw/artwork/logo.svg r, - /usr/share/knotifications5/*.notifyrc r, - /usr/share/desktop-directories/kf5-*.directory r, /etc/appstream.conf r, /etc/cups/client.conf r, @@ -74,14 +75,14 @@ profile plasmashell @{exec_path} { /etc/xdg/kdeglobals r, /etc/xdg/kioslaverc r, /etc/xdg/krunnerrc r, + /etc/xdg/kshorturifilterrc r, /etc/xdg/kwinrc r, /etc/xdg/menus/ r, - /etc/xdg/menus/applications.menu r, /etc/xdg/menus/applications-merged/ r, + /etc/xdg/menus/applications.menu r, /etc/xdg/plasmanotifyrc r, /etc/xdg/plasmarc r, /etc/xdg/taskmanagerrulesrc r, - /etc/xdg/kshorturifilterrc r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, @@ -121,8 +122,8 @@ profile plasmashell @{exec_path} { owner @{user_config_dirs}/plasma-pk-updates r, owner @{user_config_dirs}/plasma*desktop* rwlk, owner @{user_config_dirs}/plasmanotifyrc rw, - owner @{user_config_dirs}/plasmanotifyrc.lock rwk, owner @{user_config_dirs}/plasmanotifyrc.* rwl, + owner @{user_config_dirs}/plasmanotifyrc.lock rwk, owner @{user_config_dirs}/plasmaparc r, owner @{user_config_dirs}/plasmashellrc r, owner @{user_config_dirs}/pulse/cookie rwk, @@ -157,14 +158,15 @@ profile plasmashell @{exec_path} { @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r, + owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r, - owner @{PROC}/@{pid}/attr/current r, - - /dev/shm/ r, + /dev/ptmx rw, - + /dev/rfkill r, + /dev/shm/ r, + include if exists } diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index f20f3fb9..5561a7ad 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -60,6 +60,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{run}/tlp/{,*} rw, @{run}/chrony-dhcp/ rw, + @{sys}/class/net/ r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 9bdc4d69..1e91e8e0 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -18,6 +18,8 @@ profile aa-log @{exec_path} { /{usr/,}bin/journalctl rix, /etc/machine-id r, + /etc/nsswitch.conf r, + /etc/passwd r, /var/lib/dbus/machine-id r, /var/log/audit/* r, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 037b1723..e88f8365 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -37,6 +37,8 @@ profile bluetoothd @{exec_path} { @{sys}/devices/platform/**/rfkill/**/name r, @{sys}/devices/virtual/dmi/id/chassis_type r, + @{PROC}/sys/kernel/hostname r, + /dev/uhid rw, /dev/uinput rw, /dev/rfkill rw, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 3b935774..36731ec9 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -32,7 +32,10 @@ profile xauth @{exec_path} { owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, owner /tmp/runtime-*/xauth_?????? r, - @{run}/user/@{uid}/xauth_?????? rw, + + owner @{run}/user/@{uid}/xauth_?????? rw, + owner @{run}/user/@{uid}/xauth_??????-c w, + owner @{run}/user/@{uid}/xauth_??????-l wl, include if exists }