From 156f5d4e3b34503ffbe924d11dd33e9ce9923908 Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Fri, 18 Dec 2020 11:12:55 +0100 Subject: [PATCH] update apparmor profiles --- apparmor.d/abstractions/gtk | 4 ++ apparmor.d/apt-systemd-daily | 59 ++++++++++++++++++++++++++++++ apparmor.d/birdtray | 4 +- apparmor.d/calibre | 2 +- apparmor.d/chromium-chromium | 2 +- apparmor.d/cron-popularity-contest | 6 +++ apparmor.d/discord | 2 +- apparmor.d/firefox | 2 +- apparmor.d/flameshot | 4 +- apparmor.d/freetube | 2 +- apparmor.d/gajim | 3 +- apparmor.d/git | 6 ++- apparmor.d/google-chrome-chrome | 2 +- apparmor.d/keepassxc | 4 +- apparmor.d/keepassxc-proxy | 4 +- apparmor.d/minitube | 4 +- apparmor.d/mpv | 2 +- apparmor.d/opera | 2 +- apparmor.d/psi-plus | 2 +- apparmor.d/qbittorrent | 4 +- apparmor.d/qbittorrent-nox | 4 +- apparmor.d/qnapi | 4 +- apparmor.d/quiterss | 4 +- apparmor.d/redshift | 3 ++ apparmor.d/reportbug | 6 +++ apparmor.d/smplayer | 4 +- apparmor.d/smtube | 4 +- apparmor.d/strawberry | 4 +- apparmor.d/telegram-desktop | 4 +- apparmor.d/thunderbird | 2 +- apparmor.d/tint2 | 2 +- apparmor.d/unmkinitramfs | 16 ++++++-- apparmor.d/vlc | 2 +- apparmor.d/wget | 2 +- 34 files changed, 135 insertions(+), 46 deletions(-) create mode 100644 apparmor.d/apt-systemd-daily diff --git a/apparmor.d/abstractions/gtk b/apparmor.d/abstractions/gtk index 8daed9cb..87c4fd5a 100644 --- a/apparmor.d/abstractions/gtk +++ b/apparmor.d/abstractions/gtk @@ -13,6 +13,10 @@ /usr/share/themes/{,**} r, + /usr/share/gtksourceview-[0-9]*/ r, + /usr/share/gtksourceview-[0-9]*/** r, + + /usr/share/gtk-3.0/ r, /usr/share/gtk-3.0/settings.ini r, /etc/gtk-2.0/ r, diff --git a/apparmor.d/apt-systemd-daily b/apparmor.d/apt-systemd-daily new file mode 100644 index 00000000..bcc0fb93 --- /dev/null +++ b/apparmor.d/apt-systemd-daily @@ -0,0 +1,59 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily +profile apt-systemd-daily @{exec_path} { + include + + @{exec_path} mrix, + /{usr/,}bin/{,ba,da}sh rix, + + /{usr/,}bin/flock rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/savelog rix, + /{usr/,}bin/which rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/date rix, + /{usr/,}bin/find rix, + /{usr/,}bin/du rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/uniq rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/seq rix, + + /{usr/,}bin/apt-config rPx, + /{usr/,}bin/apt-get rPx, + + /etc/default/locale r, + + # The /daily_lock file is only used when the /var/lib/apt/daily_lock can be accessed. + #/daily_lock w, + /var/lib/apt/daily_lock wk, + + /var/lib/apt/extended_states r, + + /var/backups/apt.extended_states.[0-9]* r, + + /var/cache/apt/ r, + /var/cache/apt/archives/ r, + /var/cache/apt/backup/ r, + + include if exists +} diff --git a/apparmor.d/birdtray b/apparmor.d/birdtray index f17ab2c3..6907c5eb 100644 --- a/apparmor.d/birdtray +++ b/apparmor.d/birdtray @@ -29,9 +29,7 @@ profile birdtray @{exec_path} { include include - network inet, - network inet6, - network netlink dgram, + deny network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/calibre b/apparmor.d/calibre index dd30415b..4e833cce 100644 --- a/apparmor.d/calibre +++ b/apparmor.d/calibre @@ -58,7 +58,7 @@ profile calibre @{exec_path} { capability sys_ptrace, - network netlink raw, + deny network netlink raw, @{exec_path} mrix, /{usr/,}bin/python3.[0-9]* r, diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium index 63a0e5e9..e475d8b9 100644 --- a/apparmor.d/chromium-chromium +++ b/apparmor.d/chromium-chromium @@ -53,7 +53,7 @@ profile chromium-chromium @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/cron-popularity-contest b/apparmor.d/cron-popularity-contest index ec02d612..5c09663d 100644 --- a/apparmor.d/cron-popularity-contest +++ b/apparmor.d/cron-popularity-contest @@ -138,6 +138,12 @@ profile cron-popularity-contest @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + /usr/share/popularity-contest/popcon-upload r, /{usr/,}bin/perl r, diff --git a/apparmor.d/discord b/apparmor.d/discord index 83790ded..878d4f11 100644 --- a/apparmor.d/discord +++ b/apparmor.d/discord @@ -43,7 +43,7 @@ profile discord @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/firefox b/apparmor.d/firefox index 27f482be..91c2d55e 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -44,7 +44,7 @@ profile firefox @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/flameshot b/apparmor.d/flameshot index f9f1daf8..22116b8f 100644 --- a/apparmor.d/flameshot +++ b/apparmor.d/flameshot @@ -36,8 +36,8 @@ profile flameshot @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, - network netlink dgram, + deny network netlink raw, + deny network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/freetube b/apparmor.d/freetube index e134c2a7..0c344c85 100644 --- a/apparmor.d/freetube +++ b/apparmor.d/freetube @@ -47,7 +47,7 @@ profile freetube @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/gajim b/apparmor.d/gajim index 3f73f6fb..41eda8c0 100644 --- a/apparmor.d/gajim +++ b/apparmor.d/gajim @@ -35,8 +35,7 @@ profile gajim @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, - + deny network netlink raw, @{exec_path} r, diff --git a/apparmor.d/git b/apparmor.d/git index 6ce418c4..6be71c63 100644 --- a/apparmor.d/git +++ b/apparmor.d/git @@ -27,7 +27,6 @@ profile git @{exec_path} { network inet stream, network inet6 stream, - @{exec_path} mr, /{usr/,}lib/git-core/git rix, @@ -115,6 +114,11 @@ profile git @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + /{usr/,}bin/ssh mr, /etc/ssh/ssh_config.d/{,*} r, diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome index ec12aa18..2eb294f3 100644 --- a/apparmor.d/google-chrome-chrome +++ b/apparmor.d/google-chrome-chrome @@ -49,7 +49,7 @@ profile google-chrome-chrome @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc index 9a5d852d..840c4cdb 100644 --- a/apparmor.d/keepassxc +++ b/apparmor.d/keepassxc @@ -37,8 +37,8 @@ profile keepassxc @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink dgram, - network netlink raw, + deny network netlink dgram, + deny network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/keepassxc-proxy b/apparmor.d/keepassxc-proxy index 729e7a7d..d2a53d12 100644 --- a/apparmor.d/keepassxc-proxy +++ b/apparmor.d/keepassxc-proxy @@ -21,9 +21,11 @@ profile keepassxc-proxy @{exec_path} { signal (receive) set=(term, kill), + network inet dgram, + network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/minitube b/apparmor.d/minitube index 8a0cf7af..95d05fe9 100644 --- a/apparmor.d/minitube +++ b/apparmor.d/minitube @@ -36,8 +36,8 @@ profile minitube @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink dgram, - network netlink raw, + deny network netlink dgram, + deny network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/mpv b/apparmor.d/mpv index 0021e57b..bbbff32e 100644 --- a/apparmor.d/mpv +++ b/apparmor.d/mpv @@ -85,7 +85,7 @@ profile mpv @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/opera b/apparmor.d/opera index 1e8e6e0d..9a446a7b 100644 --- a/apparmor.d/opera +++ b/apparmor.d/opera @@ -52,7 +52,7 @@ profile opera @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus index 08a6d593..c6b6d750 100644 --- a/apparmor.d/psi-plus +++ b/apparmor.d/psi-plus @@ -40,7 +40,7 @@ profile psi-plus @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink dgram, + deny network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/qbittorrent b/apparmor.d/qbittorrent index 702101ee..6e3490d7 100644 --- a/apparmor.d/qbittorrent +++ b/apparmor.d/qbittorrent @@ -41,8 +41,8 @@ profile qbittorrent @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink dgram, - network netlink raw, + deny network netlink dgram, + deny network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/qbittorrent-nox b/apparmor.d/qbittorrent-nox index 7eea7886..eb80faa1 100644 --- a/apparmor.d/qbittorrent-nox +++ b/apparmor.d/qbittorrent-nox @@ -27,8 +27,8 @@ profile qbittorrent-nox @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink dgram, - network netlink raw, + deny network netlink dgram, + deny network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/qnapi b/apparmor.d/qnapi index de3e4db1..4230871d 100644 --- a/apparmor.d/qnapi +++ b/apparmor.d/qnapi @@ -68,8 +68,8 @@ profile qnapi @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, - network netlink dgram, + deny network netlink raw, + deny network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss index 689f4a0c..080d05bb 100644 --- a/apparmor.d/quiterss +++ b/apparmor.d/quiterss @@ -39,8 +39,8 @@ profile quiterss @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, - network netlink dgram, + deny network netlink raw, + deny network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/redshift b/apparmor.d/redshift index 26b4ca8d..c933ab67 100644 --- a/apparmor.d/redshift +++ b/apparmor.d/redshift @@ -17,6 +17,7 @@ include @{exec_path} = /{usr/,}bin/redshift profile redshift @{exec_path} { include + include include @{exec_path} mr, @@ -36,6 +37,8 @@ profile redshift @{exec_path} { owner @{HOME}/.config/redshift/{,**} rw, owner @{HOME}/.config/redshift.conf rw, + owner @{run}/user/[0-9]*/redshift-shared-* rw, + owner @{HOME}/.Xauthority r, owner /tmp/xauth-[0-9]*-_[0-9] r, diff --git a/apparmor.d/reportbug b/apparmor.d/reportbug index cf544f1b..62219f8f 100644 --- a/apparmor.d/reportbug +++ b/apparmor.d/reportbug @@ -53,6 +53,7 @@ profile reportbug @{exec_path} { /{usr/,}bin/dlocate rPx, /{usr/,}bin/apt-cache rPx, /{usr/,}bin/dpkg-query rPx, + /{usr/,}sbin/exim4 rPx, /{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -86,6 +87,8 @@ profile reportbug @{exec_path} { owner @{PROC}/@{pid}/fd/ r, @{PROC}/sys/kernel/tainted r, + @{sys}/module/apparmor/parameters/enabled r, + owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw, owner /tmp/[a-z0-9]* rw, owner /var/tmp/*.bug{,~} rw, @@ -93,6 +96,9 @@ profile reportbug @{exec_path} { # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, + # Silencer + /usr/lib/python3/** w, + profile run-parts { include diff --git a/apparmor.d/smplayer b/apparmor.d/smplayer index a13203ac..f1cf3d92 100644 --- a/apparmor.d/smplayer +++ b/apparmor.d/smplayer @@ -88,8 +88,8 @@ profile smplayer @{exec_path} { network inet dgram, network inet6 dgram, network inet stream, - network inet6 stream, - network netlink dgram, + deny network inet6 stream, + deny network netlink dgram, @{exec_path} mrix, diff --git a/apparmor.d/smtube b/apparmor.d/smtube index 85df3f23..462597bd 100644 --- a/apparmor.d/smtube +++ b/apparmor.d/smtube @@ -33,8 +33,8 @@ profile smtube @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink dgram, - network netlink raw, + deny network netlink dgram, + deny network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index 0bfcef51..3a2909a6 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -40,8 +40,8 @@ profile strawberry @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink dgram, - network netlink raw, + deny network netlink dgram, + deny network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/telegram-desktop b/apparmor.d/telegram-desktop index 9c3fa1b3..91a2120d 100644 --- a/apparmor.d/telegram-desktop +++ b/apparmor.d/telegram-desktop @@ -40,8 +40,8 @@ profile telegram-desktop @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink dgram, - network netlink raw, + deny network netlink dgram, + deny network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird index e03a3a77..21b2e94d 100644 --- a/apparmor.d/thunderbird +++ b/apparmor.d/thunderbird @@ -46,7 +46,7 @@ profile thunderbird @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, # The following rules are needed only when the kernel.unprivileged_userns_clone option is set # to "1". diff --git a/apparmor.d/tint2 b/apparmor.d/tint2 index ad1ef41a..4eed94a5 100644 --- a/apparmor.d/tint2 +++ b/apparmor.d/tint2 @@ -22,7 +22,7 @@ profile tint2 @{exec_path} { include include - network netlink dgram, + deny network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/unmkinitramfs b/apparmor.d/unmkinitramfs index 4af9bd70..c4cc0f7f 100644 --- a/apparmor.d/unmkinitramfs +++ b/apparmor.d/unmkinitramfs @@ -25,22 +25,30 @@ profile unmkinitramfs @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, - /{usr/,}bin/gzip rix, /{usr/,}bin/xzcat rix, /{usr/,}bin/lz4cat rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/lzop rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/rm rix, /{usr/,}bin/dd rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/getopt rix, - /{usr/,}bin/cpio rix, + /{usr/,}bin/cpio rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/lzma rix, + /{usr/,}bin/lzop rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/zstd rix, + + /boot/ r, owner /boot/initrd.img-* r, + /tmp/ r, owner /tmp/initrd.img-* r, + /mnt/ r, owner /mnt/initrd.img-* r, + /mnt/boot/ r, owner /mnt/boot/initrd.img-* r, # To extract the content of the initrd image diff --git a/apparmor.d/vlc b/apparmor.d/vlc index 4277eece..9bbfc501 100644 --- a/apparmor.d/vlc +++ b/apparmor.d/vlc @@ -83,7 +83,7 @@ profile vlc @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/wget b/apparmor.d/wget index 257f7b5e..921d9a99 100644 --- a/apparmor.d/wget +++ b/apparmor.d/wget @@ -30,7 +30,7 @@ profile wget @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + deny network netlink raw, @{exec_path} mr,