From 1e729e6b46c6aa84b46094da7dd738f80915790c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 4 Mar 2022 21:30:34 +0000 Subject: [PATCH] Profiles update. --- apparmor.d/groups/bus/dbus-daemon | 1 + apparmor.d/groups/bus/dbus-run-session | 4 +- apparmor.d/groups/gnome/gnome-contacts | 7 ++-- apparmor.d/groups/gpg/gpg-agent | 10 ++++- apparmor.d/profiles-a-f/fusermount | 17 +++++---- apparmor.d/profiles-a-f/fwupd | 51 ++++++++++++++------------ apparmor.d/profiles-g-l/git | 4 +- apparmor.d/profiles-g-l/kmod | 1 + apparmor.d/profiles-m-r/ntfs-3g | 1 - dists/flags/arch.flags | 3 -- dists/flags/main.flags | 1 - 11 files changed, 56 insertions(+), 44 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 7f425725..2bbd3973 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -48,6 +48,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/dbus-1/{,**} r, @{user_share_dirs}/icc/{,edid-*} r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index 74f17b24..0cfa2d3a 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -11,7 +11,7 @@ profile dbus-run-session @{exec_path} { include signal (receive) set=term peer=gdm, - signal (receive) set=(term, kill) peer=gdm-wayland-session, + signal (receive) set=(term, kill) peer=gdm-*-session, signal (send) set=term peer=dbus-daemon, @{exec_path} mr, @@ -30,6 +30,8 @@ profile dbus-run-session @{exec_path} { /usr/share/dconf/profile/gdm r, /var/lib/gdm/.config/dconf/user r, + owner @{PROC}/@{pid}/fd/ r, + # file_inherit /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index ec764ecd..abe956d3 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -9,10 +9,13 @@ include @{exec_path} = /{usr/,}bin/gnome-contacts profile gnome-contacts @{exec_path} { include + include include include include + include include + include include include @@ -25,18 +28,14 @@ profile gnome-contacts @{exec_path} { /usr/share/applications/{,*.desktop} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, - owner @{user_cache_dirs}/gstreamer*/{,**} r, owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_share_dirs}/folks/relationships.ini r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, @{PROC}/sys/dev/i915/perf_stream_paranoid r, - /dev/ r, - include if exists } diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index ac5cedc8..18dd5804 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2017-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -28,6 +29,13 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, + owner @{MOUNTS}/*/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/*/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{MOUNTS}/*/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, + owner @{MOUNTS}/*/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{MOUNTS}/*/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/*/@{XDG_GPG_DIR}/sshcontrol r, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index a0125f26..beaafa9c 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,11 +17,15 @@ profile fusermount @{exec_path} { @{exec_path} mr, + /etc/fuse.conf r, + /etc/machine-id r, + # Where to mount ISO files owner @{HOME}/*/ rw, owner @{HOME}/*/*/ rw, owner @{user_cache_dirs}/**/ rw, @{run}/user/@{uid}/doc/ r, + /var/tmp/flatpak-cache-*/*/ r, # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, @@ -30,6 +34,7 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/, mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/, + mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/, umount @{HOME}/*/, umount @{HOME}/*/*/, @@ -38,13 +43,11 @@ profile fusermount @{exec_path} { umount @{MOUNTS}/*/*/, umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, - - /etc/fuse.conf r, - /etc/machine-id r, - - /dev/fuse rw, + umount /var/tmp/flatpak-cache-*/*/, @{PROC}/@{pid}/mounts r, + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 526d9a6f..e88775bd 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -44,27 +44,13 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /boot/EFI/arch/fwupdx[0-9]*.efi rw, /boot/EFI/arch/fw/fwupd-*.cap{,.*} rw, - # In order to get to this file, the attach_disconnected flag has to be set - owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, - /usr/share/mime/mime.cache r, - @{PROC}/modules r, - @{PROC}/cmdline r, - @{PROC}/swaps r, - @{PROC}/sys/kernel/tainted r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/fd/ r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, - /dev/mem r, - /dev/mei[0-9]* rw, - /dev/tpm[0-9] rw, - /dev/drm_dp_aux[0-9]* rw, - /dev/sd[a-z]* r, - /dev/bus/usb/ r, - /dev/bus/usb/[0-9]*/[0-9]* rw, - /dev/wmi/* r, + # In order to get to this file, the attach_disconnected flag has to be set + owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, @{sys}/**/ r, @{sys}/devices/** r, @@ -79,13 +65,30 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, @{sys}/power/mem_sleep r, - @{run}/udev/data/* r, + @{run}/motd.d/ r, + @{run}/motd.d/[0-9]*-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, - + @{run}/mount/utab r, @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/udev/data/* r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + @{PROC}/cmdline r, + @{PROC}/modules r, + @{PROC}/swaps r, + @{PROC}/sys/kernel/tainted r, + + /dev/bus/usb/ r, + /dev/bus/usb/[0-9]*/[0-9]* rw, + /dev/drm_dp_aux[0-9]* rw, + /dev/mei[0-9]* rw, + /dev/mem r, + /dev/sd[a-z]* r, + /dev/tpm[0-9]* rw, + /dev/wmi/* r, profile gpg flags=(complain) { include diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 624e77b0..354db016 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -80,8 +80,8 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_PROJECTS_DIR}/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, - owner @{user_cache_dirs}/**/.SRCINFO r, - owner @{user_cache_dirs}/**/.git/** r, + owner @{user_cache_dirs}/*/ rw, + owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, owner /tmp/** rwkl -> /tmp/**, owner /tmp/**/bin/* rCx -> exec, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 722de7c3..ae8e492f 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -68,6 +68,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/**/*.ko r, deny /apparmor/.null rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index ea6029ee..faf590df 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -12,7 +12,6 @@ include profile ntfs-3g @{exec_path} { include include - # When UserMapping is placed under /.NTFS-3G/UserMapping on the NTFS volume include capability dac_override, diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index 9410d7f1..d442fc71 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -1,6 +1,3 @@ -arch-audit complain -archlinux-java complain -aurpublish complain pacman complain pacman-conf attach_disconnected,complain pacman-hook-dconf complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a95b0fae..7c7ae809 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -51,7 +51,6 @@ gnome-tweak-tool-lid-inhibitor complain gnome-tweaks complain gpg complain groups complain -gsd-disk-utility-notify complain gsd-media-keys attach_disconnected,complain gsd-print-notifications attach_disconnected,complain gsd-printer attach_disconnected,complain