From 1f16025c10086092425e19bace3fe300f6266105 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Jan 2023 19:22:18 +0000 Subject: [PATCH] feat(profile): general update. See: #102 --- apparmor.d/groups/freedesktop/geoclue | 5 +++-- apparmor.d/groups/gnome/gnome-control-center | 7 +++--- apparmor.d/groups/grub/grub-mount | 3 +++ apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/profiles-a-f/btrfs | 23 ++++++++++---------- apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-m-r/os-prober | 4 ++++ 8 files changed, 29 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index c860fd00..b609cd45 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,9 +9,10 @@ include @{exec_path} = @{libexec}/geoclue profile geoclue @{exec_path} flags=(attach_disconnected) { include - include - include include + include + include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index d4fd8857..d3d9caae 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -87,10 +87,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language2locale rix, /snap/*/[0-9]*/**.png r, + /usr/share/*ubuntu/applications/{,*} r, /usr/share/backgrounds/{,**} r, - /usr/share/desktop-base/**.{xml,png,svg} r, /usr/share/cups/data/testprint r, + /usr/share/desktop-base/**.{xml,png,svg} r, /usr/share/egl/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-bluetooth{-*,}/{,**} r, @@ -98,11 +100,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-control-center/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, - /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, + /usr/share/libdrm/*.ids r, /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, - /usr/share/*ubuntu/applications/{,*} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount index 79edeac5..c37f32b7 100644 --- a/apparmor.d/groups/grub/grub-mount +++ b/apparmor.d/groups/grub/grub-mount @@ -15,6 +15,9 @@ profile grub-mount @{exec_path} { capability sys_admin, + mount fstype=fuse.grub-mount -> /var/lib/os-prober/mount/, + umount /var/lib/os-prober/mount/, + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 13efbdc3..0459f71a 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -45,7 +45,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /etc/NetworkManager/dispatcher.d/** rix, @{run}/systemd/notify rw, - @{run}/tlp/* rw, + @{run}/tlp/{,*} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 514453e4..9dfa0725 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -88,9 +88,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c14:[0-9]* r, @{run}/udev/data/c21:[0-9]* r, @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* - @{run}/udev/data/c21:[0-9]* r, @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c29:[0-9]* r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index bff4395c..f1053e2a 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -18,21 +19,12 @@ profile btrfs @{exec_path} { @{exec_path} mr, - @{run}/blkid/blkid.tab{,-*} rw, - @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - - owner @{PROC}/@{pid}/mounts r, - @{PROC}/partitions r, - - # For fsck of the btrfs filesystem directly from gparted - owner /tmp/gparted-*/ rw, - - # For scrub /var/lib/btrfs/ rw, /var/lib/btrfs/scrub.progress.@{uuid} rw, /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, - # Saved metadata + / r, + /boot/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, @@ -46,6 +38,15 @@ profile btrfs @{exec_path} { owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + # For fsck of the btrfs filesystem directly from gparted + owner /tmp/gparted-*/ rw, + + @{run}/blkid/blkid.tab{,-*} rw, + @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + + @{PROC}/partitions r, + owner @{PROC}/@{pid}/mounts r, + /dev/btrfs-control rw, include if exists diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index f6de4662..1e2b26d6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -81,6 +81,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /var/cache/fwupd/{,**} rw, /var/lib/fwupd/{,**} rw, /var/lib/fwupd/pending.db rwk, + /var/tmp/etilqs_@{hex} rw, /boot/{,**} r, /boot/EFI/*/.goutputstream-* rw, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 4ce682ef..b19271f3 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -45,7 +45,11 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { /var/lib/os-prober/{,**} rw, + @{MOUNTS}/ r, + / r, /boot/ r, + /boot/EFI/ r, + /boot/EFI/*/ r, owner /tmp/os-prober.*/{,**} rw,