update apparmor profiles

This commit is contained in:
Mikhail Morfikov 2020-12-18 11:12:55 +01:00
parent 7067edcf70
commit 156f5d4e3b
Failed to generate hash of commit
34 changed files with 135 additions and 46 deletions

View file

@ -13,6 +13,10 @@
/usr/share/themes/{,**} r, /usr/share/themes/{,**} r,
/usr/share/gtksourceview-[0-9]*/ r,
/usr/share/gtksourceview-[0-9]*/** r,
/usr/share/gtk-3.0/ r,
/usr/share/gtk-3.0/settings.ini r, /usr/share/gtk-3.0/settings.ini r,
/etc/gtk-2.0/ r, /etc/gtk-2.0/ r,

View file

@ -0,0 +1,59 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} {
include <abstractions/base>
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/savelog rix,
/{usr/,}bin/which rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/date rix,
/{usr/,}bin/find rix,
/{usr/,}bin/du rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx,
/etc/default/locale r,
# The /daily_lock file is only used when the /var/lib/apt/daily_lock can be accessed.
#/daily_lock w,
/var/lib/apt/daily_lock wk,
/var/lib/apt/extended_states r,
/var/backups/apt.extended_states.[0-9]* r,
/var/cache/apt/ r,
/var/cache/apt/archives/ r,
/var/cache/apt/backup/ r,
include if exists <local/apt-systemd-daily>
}

View file

@ -29,9 +29,7 @@ profile birdtray @{exec_path} {
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
network inet, deny network netlink dgram,
network inet6,
network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -58,7 +58,7 @@ profile calibre @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,

View file

@ -53,7 +53,7 @@ profile chromium-chromium @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -138,6 +138,12 @@ profile cron-popularity-contest @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/perl> include <abstractions/perl>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
/usr/share/popularity-contest/popcon-upload r, /usr/share/popularity-contest/popcon-upload r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,

View file

@ -43,7 +43,7 @@ profile discord @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -44,7 +44,7 @@ profile firefox @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -36,8 +36,8 @@ profile flameshot @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
network netlink dgram, deny network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -47,7 +47,7 @@ profile freetube @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -35,8 +35,7 @@ profile gajim @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} r, @{exec_path} r,

View file

@ -27,7 +27,6 @@ profile git @{exec_path} {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/git-core/git rix, /{usr/,}lib/git-core/git rix,
@ -115,6 +114,11 @@ profile git @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
/{usr/,}bin/ssh mr, /{usr/,}bin/ssh mr,
/etc/ssh/ssh_config.d/{,*} r, /etc/ssh/ssh_config.d/{,*} r,

View file

@ -49,7 +49,7 @@ profile google-chrome-chrome @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -37,8 +37,8 @@ profile keepassxc @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink dgram, deny network netlink dgram,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -21,9 +21,11 @@ profile keepassxc-proxy @{exec_path} {
signal (receive) set=(term, kill), signal (receive) set=(term, kill),
network inet dgram,
network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -36,8 +36,8 @@ profile minitube @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink dgram, deny network netlink dgram,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -85,7 +85,7 @@ profile mpv @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -52,7 +52,7 @@ profile opera @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -40,7 +40,7 @@ profile psi-plus @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink dgram, deny network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -41,8 +41,8 @@ profile qbittorrent @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink dgram, deny network netlink dgram,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -27,8 +27,8 @@ profile qbittorrent-nox @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink dgram, deny network netlink dgram,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -68,8 +68,8 @@ profile qnapi @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
network netlink dgram, deny network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -39,8 +39,8 @@ profile quiterss @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
network netlink dgram, deny network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -17,6 +17,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/redshift @{exec_path} = /{usr/,}bin/redshift
profile redshift @{exec_path} { profile redshift @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/wayland>
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
@{exec_path} mr, @{exec_path} mr,
@ -36,6 +37,8 @@ profile redshift @{exec_path} {
owner @{HOME}/.config/redshift/{,**} rw, owner @{HOME}/.config/redshift/{,**} rw,
owner @{HOME}/.config/redshift.conf rw, owner @{HOME}/.config/redshift.conf rw,
owner @{run}/user/[0-9]*/redshift-shared-* rw,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
owner /tmp/xauth-[0-9]*-_[0-9] r, owner /tmp/xauth-[0-9]*-_[0-9] r,

View file

@ -53,6 +53,7 @@ profile reportbug @{exec_path} {
/{usr/,}bin/dlocate rPx, /{usr/,}bin/dlocate rPx,
/{usr/,}bin/apt-cache rPx, /{usr/,}bin/apt-cache rPx,
/{usr/,}bin/dpkg-query rPx, /{usr/,}bin/dpkg-query rPx,
/{usr/,}sbin/exim4 rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
@ -86,6 +87,8 @@ profile reportbug @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/tainted r, @{PROC}/sys/kernel/tainted r,
@{sys}/module/apparmor/parameters/enabled r,
owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw, owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw,
owner /tmp/[a-z0-9]* rw, owner /tmp/[a-z0-9]* rw,
owner /var/tmp/*.bug{,~} rw, owner /var/tmp/*.bug{,~} rw,
@ -93,6 +96,9 @@ profile reportbug @{exec_path} {
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPUx,
# Silencer
/usr/lib/python3/** w,
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>

View file

@ -88,8 +88,8 @@ profile smplayer @{exec_path} {
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, deny network inet6 stream,
network netlink dgram, deny network netlink dgram,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -33,8 +33,8 @@ profile smtube @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink dgram, deny network netlink dgram,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -40,8 +40,8 @@ profile strawberry @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink dgram, deny network netlink dgram,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -40,8 +40,8 @@ profile telegram-desktop @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink dgram, deny network netlink dgram,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -46,7 +46,7 @@ profile thunderbird @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1". # to "1".

View file

@ -22,7 +22,7 @@ profile tint2 @{exec_path} {
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
network netlink dgram, deny network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -25,22 +25,30 @@ profile unmkinitramfs @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xzcat rix, /{usr/,}bin/xzcat rix,
/{usr/,}bin/lz4cat rix, /{usr/,}bin/lz4cat rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/dd rix, /{usr/,}bin/dd rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getopt rix, /{usr/,}bin/getopt rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix,
/boot/ r,
owner /boot/initrd.img-* r, owner /boot/initrd.img-* r,
/tmp/ r,
owner /tmp/initrd.img-* r, owner /tmp/initrd.img-* r,
/mnt/ r,
owner /mnt/initrd.img-* r, owner /mnt/initrd.img-* r,
/mnt/boot/ r,
owner /mnt/boot/initrd.img-* r, owner /mnt/boot/initrd.img-* r,
# To extract the content of the initrd image # To extract the content of the initrd image

View file

@ -83,7 +83,7 @@ profile vlc @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

View file

@ -30,7 +30,7 @@ profile wget @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, deny network netlink raw,
@{exec_path} mr, @{exec_path} mr,