diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index 296fd674..5fd24129 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,6 +16,8 @@ profile apt-mark @{exec_path} { /{usr/,}bin/dpkg rPx, + /etc/machine-id r, + /var/lib/apt/extended_states{,.*} rw, owner @{PROC}/@{pid}/fd/ r, @@ -22,5 +25,7 @@ profile apt-mark @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, + /dev/pts/[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 9d903bf8..cc8aa793 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -9,26 +9,28 @@ include @{exec_path} = /{usr/,}lib/ibus/ibus-dconf profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=term peer=ibus-daemon, @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/dconf/profile/gdm r, /etc/dconf/profile/ibus r, /etc/dconf/db/ibus r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r, + /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, + /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.cache/dconf/ w, /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/desktop/dconf b/apparmor.d/groups/desktop/dconf index 2dc3d12b..16212294 100644 --- a/apparmor.d/groups/desktop/dconf +++ b/apparmor.d/groups/desktop/dconf @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/dconf -profile dconf @{exec_path} { +profile dconf @{exec_path} flags=(attach_disconnected) { include capability sys_nice, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 6fd2f285..3b7dcea6 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -43,6 +43,13 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r, + owner @{run}/user/@{uid}/gnupg/ rw, + owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, + owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, + owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/sshcontrol r, + owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, @@ -68,14 +75,7 @@ profile gpg-agent @{exec_path} { owner /tmp/tmp.*/gnupg/S.gpg-agent rw, owner /tmp/tmp.*/gnupg/sshcontrol r, - # For debuild - owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w, - owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, - - @{PROC}/@{pid}/fd/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, + owner @{PROC}/@{pid}/fd/ r, # Silencer deny /{usr/,}bin/.gnupg/ w, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index d065a097..9f7d73f9 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -44,6 +44,7 @@ profile tailscaled @{exec_path} { @{PROC}/@{pid}/net/{,**} r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/net/route r, @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/1/stat r, diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index 650924f0..06802b1f 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -17,10 +17,14 @@ profile archlinux-java @{exec_path} { /{usr/,}bin/basename rix, /{usr/,}bin/bash rix, /{usr/,}bin/dirname rix, + /{usr/,}bin/id rix, /{usr/,}bin/ln rix, /{usr/,}bin/readlink rix, /{usr/,}bin/unlink rix, + /{usr/,}lib/jvm/default w, + /{usr/,}lib/jvm/default-runtime w, + /dev/tty rw, # Inherit Silencer diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index adaa5d80..66cca7e3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -13,10 +13,11 @@ profile systemd-logind @{exec_path} flags=(complain) { include include - capability sys_tty_config, capability chown, capability dac_override, + capability fowner, capability sys_admin, + capability sys_tty_config, network netlink raw, @@ -73,7 +74,7 @@ profile systemd-logind @{exec_path} flags=(complain) { /dev/dri/card[0-9]* rw, /dev/tty[0-9]* rw, /dev/nvme* r, - /dev/shm/ r, + /dev/shm/{,**/} r, /dev/mqueue/ r, @{sys}/module/vt/parameters/default_utf8 r, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 19242483..8521bab8 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -21,11 +21,16 @@ profile atd @{exec_path} { signal (receive) set=hup, + ptrace (read) peer=unconfined, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}{s,}bin/sendmail rPUx, + /etc/environment r, + /etc/security/limits.d/ r, + /var/spool/cron/atjobs/{,*} rwl, /var/spool/cron/atspool/{,*} rwl, diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 5eef6ddd..83c3e694 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/fail2ban-client -profile fail2ban-client @{exec_path} { +profile fail2ban-client @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules index d2a63e5f..826d7de6 100644 --- a/apparmor.d/profiles-g-l/gio-querymodules +++ b/apparmor.d/profiles-g-l/gio-querymodules @@ -11,6 +11,9 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, + capability mknod, + @{exec_path} mr, /{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 29089244..073dc510 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -37,6 +37,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/zstd rix, /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, + /{usr/,}bin/fail2ban-client rPx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index f26e24bc..fbd72393 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -59,6 +59,8 @@ profile s3fs @{exec_path} { umount @{MOUNTS}/*/, umount @{MOUNTS}/*/*/, + owner /tmp/s3fstmp.* rw, + @{PROC}/@{pids}/mounts r, /dev/fuse rw, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 92e7f4f9..b881f383 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -17,13 +17,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, - capability sys_admin, - capability sys_rawio, - capability setuid, capability setgid, - - # Needed? - deny capability sys_nice, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_rawio, network netlink raw, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 1f2180f0..5439336f 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,8 +12,8 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include include - include include include include @@ -21,22 +21,23 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include - include include + include include include include include include - include network inet stream, network inet6 stream, network netlink raw, @{exec_path} rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, + /{usr/,}lib/python3.[0-9]*/site-packages/__pycache__/guestfs.cpython-[0-9]*.pyc.[0-9]* w, /{usr/,}bin/ r, /{usr/,}bin/env rix, @@ -87,9 +88,11 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/mount/utab r, @{run}/udev/data/c51[0-9]:[0-9]* r, - owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/virtual/drm/ttm/uevent r, @@ -98,10 +101,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/net/route r, - - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /dev/video[0-9]* rw,