update apparmor profiles

This commit is contained in:
Mikhail Morfikov 2020-12-18 11:12:55 +01:00
parent 7067edcf70
commit 156f5d4e3b
Failed to generate hash of commit
34 changed files with 135 additions and 46 deletions

View file

@ -13,6 +13,10 @@
/usr/share/themes/{,**} r,
/usr/share/gtksourceview-[0-9]*/ r,
/usr/share/gtksourceview-[0-9]*/** r,
/usr/share/gtk-3.0/ r,
/usr/share/gtk-3.0/settings.ini r,
/etc/gtk-2.0/ r,

View file

@ -0,0 +1,59 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} {
include <abstractions/base>
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/savelog rix,
/{usr/,}bin/which rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/date rix,
/{usr/,}bin/find rix,
/{usr/,}bin/du rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx,
/etc/default/locale r,
# The /daily_lock file is only used when the /var/lib/apt/daily_lock can be accessed.
#/daily_lock w,
/var/lib/apt/daily_lock wk,
/var/lib/apt/extended_states r,
/var/backups/apt.extended_states.[0-9]* r,
/var/cache/apt/ r,
/var/cache/apt/archives/ r,
/var/cache/apt/backup/ r,
include if exists <local/apt-systemd-daily>
}

View file

@ -29,9 +29,7 @@ profile birdtray @{exec_path} {
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet,
network inet6,
network netlink dgram,
deny network netlink dgram,
@{exec_path} mr,

View file

@ -58,7 +58,7 @@ profile calibre @{exec_path} {
capability sys_ptrace,
network netlink raw,
deny network netlink raw,
@{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r,

View file

@ -53,7 +53,7 @@ profile chromium-chromium @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mrix,

View file

@ -138,6 +138,12 @@ profile cron-popularity-contest @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/perl>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
/usr/share/popularity-contest/popcon-upload r,
/{usr/,}bin/perl r,

View file

@ -43,7 +43,7 @@ profile discord @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mrix,

View file

@ -44,7 +44,7 @@ profile firefox @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mrix,

View file

@ -36,8 +36,8 @@ profile flameshot @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
network netlink dgram,
deny network netlink raw,
deny network netlink dgram,
@{exec_path} mr,

View file

@ -47,7 +47,7 @@ profile freetube @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mrix,

View file

@ -35,8 +35,7 @@ profile gajim @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} r,

View file

@ -27,7 +27,6 @@ profile git @{exec_path} {
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}lib/git-core/git rix,
@ -115,6 +114,11 @@ profile git @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/openssl>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
/{usr/,}bin/ssh mr,
/etc/ssh/ssh_config.d/{,*} r,

View file

@ -49,7 +49,7 @@ profile google-chrome-chrome @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mrix,

View file

@ -37,8 +37,8 @@ profile keepassxc @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
deny network netlink dgram,
deny network netlink raw,
@{exec_path} mrix,

View file

@ -21,9 +21,11 @@ profile keepassxc-proxy @{exec_path} {
signal (receive) set=(term, kill),
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mr,

View file

@ -36,8 +36,8 @@ profile minitube @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
deny network netlink dgram,
deny network netlink raw,
@{exec_path} mr,

View file

@ -85,7 +85,7 @@ profile mpv @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mr,

View file

@ -52,7 +52,7 @@ profile opera @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mrix,

View file

@ -40,7 +40,7 @@ profile psi-plus @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
deny network netlink dgram,
@{exec_path} mr,

View file

@ -41,8 +41,8 @@ profile qbittorrent @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
deny network netlink dgram,
deny network netlink raw,
@{exec_path} mr,

View file

@ -27,8 +27,8 @@ profile qbittorrent-nox @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
deny network netlink dgram,
deny network netlink raw,
@{exec_path} mr,

View file

@ -68,8 +68,8 @@ profile qnapi @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
network netlink dgram,
deny network netlink raw,
deny network netlink dgram,
@{exec_path} mr,

View file

@ -39,8 +39,8 @@ profile quiterss @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
network netlink dgram,
deny network netlink raw,
deny network netlink dgram,
@{exec_path} mr,

View file

@ -17,6 +17,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/redshift
profile redshift @{exec_path} {
include <abstractions/base>
include <abstractions/wayland>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
@ -36,6 +37,8 @@ profile redshift @{exec_path} {
owner @{HOME}/.config/redshift/{,**} rw,
owner @{HOME}/.config/redshift.conf rw,
owner @{run}/user/[0-9]*/redshift-shared-* rw,
owner @{HOME}/.Xauthority r,
owner /tmp/xauth-[0-9]*-_[0-9] r,

View file

@ -53,6 +53,7 @@ profile reportbug @{exec_path} {
/{usr/,}bin/dlocate rPx,
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/dpkg-query rPx,
/{usr/,}sbin/exim4 rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/dpkg rPx -> child-dpkg,
@ -86,6 +87,8 @@ profile reportbug @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/tainted r,
@{sys}/module/apparmor/parameters/enabled r,
owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw,
owner /tmp/[a-z0-9]* rw,
owner /var/tmp/*.bug{,~} rw,
@ -93,6 +96,9 @@ profile reportbug @{exec_path} {
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# Silencer
/usr/lib/python3/** w,
profile run-parts {
include <abstractions/base>

View file

@ -88,8 +88,8 @@ profile smplayer @{exec_path} {
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
deny network inet6 stream,
deny network netlink dgram,
@{exec_path} mrix,

View file

@ -33,8 +33,8 @@ profile smtube @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
deny network netlink dgram,
deny network netlink raw,
@{exec_path} mr,

View file

@ -40,8 +40,8 @@ profile strawberry @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
deny network netlink dgram,
deny network netlink raw,
@{exec_path} mr,

View file

@ -40,8 +40,8 @@ profile telegram-desktop @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
deny network netlink dgram,
deny network netlink raw,
@{exec_path} mr,

View file

@ -46,7 +46,7 @@ profile thunderbird @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".

View file

@ -22,7 +22,7 @@ profile tint2 @{exec_path} {
include <abstractions/deny-root-dir-access>
include <abstractions/app-launcher-user>
network netlink dgram,
deny network netlink dgram,
@{exec_path} mr,

View file

@ -25,22 +25,30 @@ profile unmkinitramfs @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xzcat rix,
/{usr/,}bin/lz4cat rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix,
/boot/ r,
owner /boot/initrd.img-* r,
/tmp/ r,
owner /tmp/initrd.img-* r,
/mnt/ r,
owner /mnt/initrd.img-* r,
/mnt/boot/ r,
owner /mnt/boot/initrd.img-* r,
# To extract the content of the initrd image

View file

@ -83,7 +83,7 @@ profile vlc @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mrix,

View file

@ -30,7 +30,7 @@ profile wget @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
deny network netlink raw,
@{exec_path} mr,