feat: profiles update.

2024-11-15 07:54:17 +01:00 · 2022-04-13 22:04:36 +01:00 · 2022-04-13 22:04:36 +01:00 · 1ad60d3b1c
commit 1ad60d3b1c
parent ef9c451559
14 changed files with 56 additions and 35 deletions
--- a/apparmor.d/groups/apt/apt-mark
+++ b/apparmor.d/groups/apt/apt-mark
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -15,6 +16,8 @@ profile apt-mark @{exec_path} {

  /{usr/,}bin/dpkg rPx,

+  /etc/machine-id r,
+
  /var/lib/apt/extended_states{,.*} rw,

  owner @{PROC}/@{pid}/fd/ r,
@ -22,5 +25,7 @@ profile apt-mark @{exec_path} {
  /var/cache/apt/ r,
  /var/cache/apt/** rwk,

+  /dev/pts/[0-9]* rw,
+
  include if exists <local/apt-mark>
 }
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -9,26 +9,28 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/ibus/ibus-dconf
 profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dconf>
+  include <abstractions/nameservice-strict>

  signal (receive) set=term peer=ibus-daemon,

  @{exec_path} mr,

  /usr/share/gdm/greeter-dconf-defaults r,
+  /usr/share/dconf/profile/gdm r,

  /etc/dconf/profile/ibus r,
  /etc/dconf/db/ibus r,
  /var/lib/dbus/machine-id r,

-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
-  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
-  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
-  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,
+  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
+  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
+  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
+  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,

-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
-  /usr/share/dconf/profile/gdm r,
+  /var/lib/gdm/.cache/dconf/ w,
  /var/lib/gdm/.config/dconf/user r,

  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/desktop/dconf
+++ b/apparmor.d/groups/desktop/dconf
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}bin/dconf
-profile dconf @{exec_path} {
+profile dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>

  capability sys_nice,
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@ -43,6 +43,13 @@ profile gpg-agent @{exec_path} {
  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r,

+  owner @{run}/user/@{uid}/gnupg/ rw,
+  owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
+  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
+  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{run}/user/@{uid}/gnupg/sshcontrol r,
+
  owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
  owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
  owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
@ -68,14 +75,7 @@ profile gpg-agent @{exec_path} {
  owner /tmp/tmp.*/gnupg/S.gpg-agent rw,
  owner /tmp/tmp.*/gnupg/sshcontrol r,

-  # For debuild
-  owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w,
-  owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
-
-  @{PROC}/@{pid}/fd/ r,
-
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
+  owner @{PROC}/@{pid}/fd/ r,

  # Silencer
  deny /{usr/,}bin/.gnupg/ w,
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@ -44,6 +44,7 @@ profile tailscaled @{exec_path} {
  @{PROC}/@{pid}/net/{,**} r,
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/fd/ r,
+  @{PROC}/@{pids}/net/route r,
  @{PROC}/1/cgroup r,
  @{PROC}/1/environ r,
  @{PROC}/1/stat r,
--- a/apparmor.d/groups/pacman/archlinux-java
+++ b/apparmor.d/groups/pacman/archlinux-java
@ -17,10 +17,14 @@ profile archlinux-java @{exec_path} {
  /{usr/,}bin/basename  rix,
  /{usr/,}bin/bash      rix,
  /{usr/,}bin/dirname   rix,
+  /{usr/,}bin/id        rix,
  /{usr/,}bin/ln        rix,
  /{usr/,}bin/readlink  rix,
  /{usr/,}bin/unlink    rix,

+  /{usr/,}lib/jvm/default w,
+  /{usr/,}lib/jvm/default-runtime w,
+
  /dev/tty rw,

  # Inherit Silencer
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -13,10 +13,11 @@ profile systemd-logind @{exec_path} flags=(complain) {
  include <abstractions/devices-usb>
  include <abstractions/systemd-common>

-  capability sys_tty_config,
  capability chown,
  capability dac_override,
+  capability fowner,
  capability sys_admin,
+  capability sys_tty_config,

  network netlink raw,

@ -73,7 +74,7 @@ profile systemd-logind @{exec_path} flags=(complain) {
  /dev/dri/card[0-9]* rw,
  /dev/tty[0-9]* rw,
  /dev/nvme* r,
-  /dev/shm/ r,
+  /dev/shm/{,**/} r,
  /dev/mqueue/ r,

  @{sys}/module/vt/parameters/default_utf8 r,
--- a/apparmor.d/profiles-a-f/atd
+++ b/apparmor.d/profiles-a-f/atd
@ -21,11 +21,16 @@ profile atd @{exec_path} {

  signal (receive) set=hup,

+  ptrace (read) peer=unconfined,
+
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh    rix,
  /{usr/,}{s,}bin/sendmail  rPUx,

+  /etc/environment r,
+  /etc/security/limits.d/ r,
+
  /var/spool/cron/atjobs/{,*} rwl,
  /var/spool/cron/atspool/{,*} rwl,

--- a/apparmor.d/profiles-a-f/fail2ban-client
+++ b/apparmor.d/profiles-a-f/fail2ban-client
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}bin/fail2ban-client
-profile fail2ban-client @{exec_path} {
+profile fail2ban-client @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
--- a/apparmor.d/profiles-g-l/gio-querymodules
+++ b/apparmor.d/profiles-g-l/gio-querymodules
@ -11,6 +11,9 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/openssl>

+  capability dac_read_search,
+  capability mknod,
+
  @{exec_path} mr,

  /{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -37,6 +37,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
  /{usr/,}bin/zstd                   rix,
  /{usr/,}{s,}bin/invoke-rc.d        rix,
  /{usr/,}lib/rsyslog/rsyslog-rotate rix,
+  /{usr/,}bin/fail2ban-client        rPx,

  # no new privs
  #/{usr/,}bin/systemctl              rCx -> systemctl,
--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@ -59,6 +59,8 @@ profile s3fs @{exec_path} {
    umount @{MOUNTS}/*/,
    umount @{MOUNTS}/*/*/,
  
+    owner /tmp/s3fstmp.* rw,
+
    @{PROC}/@{pids}/mounts r,

    /dev/fuse rw,
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -17,13 +17,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  capability chown,
  capability dac_override,
  capability dac_read_search,
-  capability sys_admin,
-  capability sys_rawio,
-  capability setuid,
  capability setgid,
-
-  # Needed?
-  deny capability sys_nice,
+  capability setuid,
+  capability sys_admin,
+  capability sys_nice,
+  capability sys_rawio,

  network netlink raw,

--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -12,8 +12,8 @@ include <tunables/global>
 profile virt-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dconf>
  include <abstractions/devices-usb>
-  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -21,22 +21,23 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
-  include <abstractions/openssl>
  include <abstractions/opencl>
+  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
  include <abstractions/vulkan>
-  include <abstractions/X>

  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} rix,
+
  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/python3.[0-9]* r,
+  /{usr/,}lib/python3.[0-9]*/site-packages/__pycache__/guestfs.cpython-[0-9]*.pyc.[0-9]* w,

  /{usr/,}bin/ r,
  /{usr/,}bin/env       rix,
@ -87,9 +88,11 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
  owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw,

+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
        @{run}/mount/utab r,
        @{run}/udev/data/c51[0-9]:[0-9]* r,
-  owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,

  @{sys}/devices/pci[0-9]*/**/drm/ r,
  @{sys}/devices/virtual/drm/ttm/uevent r,
@ -98,10 +101,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pids}/net/route r,
-        
-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,

  /dev/video[0-9]* rw,