From 1dc8714cb2efbd0f4272afd4da8b749f9fd1daeb Mon Sep 17 00:00:00 2001 From: valoq Date: Mon, 28 Oct 2024 15:41:41 +0100 Subject: [PATCH] various improvements (#590) --- apparmor.d/abstractions/app/editor | 2 +- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/audio-client | 3 +++ apparmor.d/groups/gpg/scdaemon | 1 + apparmor.d/profiles-m-r/mutt | 6 +++++- apparmor.d/profiles-m-r/ouch | 1 + apparmor.d/profiles-m-r/pinentry-curses | 2 ++ .../profiles-m-r/{pinentry-gtk-2 => pinentry-gtk} | 11 +++++++---- apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox | 4 ++++ apparmor.d/profiles-s-z/w3m | 2 +- 10 files changed, 26 insertions(+), 8 deletions(-) rename apparmor.d/profiles-m-r/{pinentry-gtk-2 => pinentry-gtk} (70%) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 1d501eb9..3992fb7b 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,7 +12,7 @@ @{sh_path} rix, @{bin}/nvim mix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mix, + @{bin}/vim{,.*} mrix, @{bin}/which{,.debianutils} ix, /usr/share/nvim/{,**} r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 2a2f612b..c749bf25 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -92,7 +92,7 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwk, - /tmp/ r, + /tmp/ rw, /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index d847c732..166229a0 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -11,6 +11,7 @@ /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, + /usr/share/pipewire/jack.conf r, /usr/share/sounds/{,**} r, /etc/alsa/conf.d/{,**} r, @@ -60,6 +61,8 @@ /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, + /dev/snd/controlC@{int} r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index e88f34d4..5d2cafd9 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -16,6 +16,7 @@ profile scdaemon @{exec_path} { network netlink raw, signal (send) peer=gpg-agent, + signal send set=usr2 peer=unconfined, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index fb1e94c1..28006f47 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -62,6 +62,7 @@ profile mutt @{exec_path} { owner @{HOME}/.mutthistory rwk, owner @{HOME}/.muttrc* r, owner @{HOME}/.signature r, # Mutt signature file + owner @{HOME}/ r, # User mbox # Could be a file or dir depending on mbox_type variable @@ -91,11 +92,14 @@ profile mutt @{exec_path} { @{bin}/w3m mrix, @{bin}/lynx mrix, - owner @{HOME}/.w3m/* rw, + owner @{HOME}/.w3m/{,**} rw, owner @{user_mail_dirs}/{,**} r, owner @{user_mail_dirs}/tmp/{,**} rw, owner /{var/,}tmp/mutt* rw, + owner /tmp/w3m-@{rand6} rw, + owner /tmp/w3m-@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index d0b75aae..ef3ea4be 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -15,6 +15,7 @@ profile ouch @{exec_path} { @{exec_path} mr, owner @{HOME}/.tmp@{rand6}/{,**} rw, + owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index a3ec65c4..c14b4102 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -17,6 +17,8 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, + owner /dev/tty@{int} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk similarity index 70% rename from apparmor.d/profiles-m-r/pinentry-gtk-2 rename to apparmor.d/profiles-m-r/pinentry-gtk index 49e9ac30..a0244956 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -7,9 +7,10 @@ abi , include -@{exec_path} = @{bin}/pinentry-gtk-2 -profile pinentry-gtk-2 @{exec_path} { +@{exec_path} = @{bin}/pinentry-gtk{,-2} +profile pinentry-gtk @{exec_path} { include + include include include include @@ -17,11 +18,13 @@ profile pinentry-gtk-2 @{exec_path} { @{exec_path} mr, - /usr/share/gtk-2.0/gtkrc r, + /usr/share/gtk-@{int}.@{int}/{,**} r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - include if exists + owner /dev/tty@{int} r, + + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox index b9efca35..51c625d5 100644 --- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox +++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox @@ -18,6 +18,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} { capability sys_admin, capability sys_chroot, + capability dac_override, @{exec_path} mr, @@ -27,6 +28,9 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{PROC}/@{pid}/oom_adj w, @{PROC}/@{pid}/oom_score_adj w, + # Silencer + deny /dev/pts/@{int} rw, # file_inherit + include if exists } diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index 1a0e3341..ade896ea 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -36,7 +36,7 @@ profile w3m @{exec_path} { owner @{user_config_dirs}/w3m/{,**} rw, - owner @{tmp}/@{rand6}/{,**} rw, + owner @{tmp}/w3m-@{rand6}/{,**} rw, include if exists }