diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index ab46efb0..c9a50454 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -1,7 +1,10 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Warning: Such a profile is limitted as it gives access to a lot of resources. + abi , include @@ -164,14 +167,12 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { deny @{sys}/devices/virtual/tty/tty[0-9]/active r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, - - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - # The irq file is needed to render pages. @{sys}/devices/pci[0-9]*/**/irq r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]*/**/report_descriptor r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + @{sys}/devices/virtual/**/report_descriptor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, /var/tmp/ r, /tmp/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 6ef0511d..5bc83a7c 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -65,6 +65,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/gpa rPUx, /{usr/,}bin/keepassxc-proxy rPUx, /{usr/,}bin/lsb_release rPx -> lsb_release, + /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, # Allowed apps to open /{usr/,}bin/xdg-open rCx -> open, @@ -132,10 +133,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, # For Cryptographic Attestation of Personhood - #@{sys}/bus/ r, - #@{sys}/class/ r, - #@{sys}/class/hidraw/ r, - #@{run}/udev/data/c241:[0-9]* r, # dynamic + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{run}/udev/data/c241:[0-9]* r, # dynamic owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 2276d3c6..8fbc6f33 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -59,6 +59,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/xsessions/{,*.desktop} r, /opt/*/**/*.png r, + /.flatpak-info r, /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 442f19ba..f238617d 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -11,6 +11,7 @@ profile tracker-extract @{exec_path} { include include include + include include include @@ -20,11 +21,13 @@ profile tracker-extract @{exec_path} { /usr/share/applications/*.desktop r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/ladspa/rdf/{,**} r, /usr/share/mime/mime.cache r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, + /usr/share/hwdata/*.ids r, /etc/libva.conf r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index cf6b2c22..c4ad39b9 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -20,6 +20,7 @@ profile tracker-miner @{exec_path} { /usr/share/applications/{,mimeinfo.cache} r, /usr/share/mime/mime.cache r, + /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, owner /var/tmp/etilqs_[0-9a-f]* rw, # Allow to search user files diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 704b3feb..2ab10645 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/pacdiff -profile pacdiff @{exec_path} { +profile pacdiff @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, @@ -38,5 +38,8 @@ profile pacdiff @{exec_path} { /dev/tty rw, + # Inherit Silencer + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 420d79f1..f49991d1 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -57,6 +57,7 @@ profile pacman @{exec_path} { /{usr/,}bin/gettext rix, /{usr/,}bin/ghc-pkg-* rix, /{usr/,}bin/grep rix, + /{usr/,}bin/killall rix, /{usr/,}bin/rm rix, /{usr/,}bin/setcap rix, /{usr/,}bin/vercmp rix, @@ -73,7 +74,7 @@ profile pacman @{exec_path} { /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, /{usr/,}bin/install-info rPx, /{usr/,}bin/journalctl rPx, - /{usr/,}bin/killall rPx, + /{usr/,}bin/locale-gen rPx, /{usr/,}bin/pacdiff rPx, /{usr/,}bin/pacman-key rPx, /{usr/,}bin/sysctl rPx, diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index 20b3043a..4948c064 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -19,5 +19,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { /etc/pacman.d/mirrorlist r, /etc/pacman.d/*-mirrorlist r, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/askpass b/apparmor.d/profiles-a-f/askpass index e5f5486a..67938a92 100644 --- a/apparmor.d/profiles-a-f/askpass +++ b/apparmor.d/profiles-a-f/askpass @@ -10,6 +10,9 @@ include profile askpass @{exec_path} { include + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -18,5 +21,11 @@ profile askpass @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}lib/electron[0-9]*/electron rUx, + /usr/share/terminfo/x/xterm-256color r, + + owner /tmp/tmp.* rw, + + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 57b8fcb2..ce9050d4 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -39,24 +39,24 @@ profile git @{exec_path} { deny /usr/local/games/ r, # These are needed for "git submodule update" - /{usr/,}bin/basename rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/gettext.sh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/envsubst rix, - /{usr/,}bin/gettext rix, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - - /{usr/,}bin/mv rix, - /{usr/,}bin/whoami rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/rm rix, /{usr/,}bin/cat rix, /{usr/,}bin/date rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/envsubst rix, + /{usr/,}bin/gettext rix, + /{usr/,}bin/gettext.sh rix, + /{usr/,}bin/hostname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/whoami rix, /{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager, diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 48c9ee4e..ba5f7359 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -13,7 +13,7 @@ profile pactl @{exec_path} { include include - /{usr/,}bin/pactl mr, + @{exec_path} mr, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-r/pipewire b/apparmor.d/profiles-m-r/pipewire index 3fef3593..d602df82 100644 --- a/apparmor.d/profiles-m-r/pipewire +++ b/apparmor.d/profiles-m-r/pipewire @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2020 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,9 +10,9 @@ include @{exec_path} = /{usr/,}bin/pipewire profile pipewire @{exec_path} { include + include include - # Needed for all sound/music apps. ptrace (read), @{exec_path} mr, @@ -21,24 +21,12 @@ profile pipewire @{exec_path} { /etc/machine-id r, /etc/pipewire/client.conf r, + /etc/pipewire/pipewire-pulse.conf.d/{,*} r, /etc/pipewire/pipewire.conf r, + /etc/pipewire/pipewire.conf.d/{,*} r, owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk, - /dev/snd/controlC[0-9]* rw, - /dev/snd/pcmC[0-9]*D[0-9]*p rw, - /dev/snd/pcmC[0-9]*D[0-9]*c rw, - - /usr/share/alsa/{,**} r, - /etc/alsa/{,**} r, - - /dev/shm/ r, - @{run}/shm/ r, - /etc/pulse/{,**} r, - owner @{user_config_dirs}/pulse/ rw, - owner @{user_config_dirs}/pulse/cookie rwk, - owner @{run}/user/@{uid}/pulse/ r, - @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @@ -46,7 +34,6 @@ profile pipewire @{exec_path} { / r, - /dev/snd/seq rw, /dev/video[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-m-r/pipewire-pulse b/apparmor.d/profiles-m-r/pipewire-pulse index b646f457..d5f03c45 100644 --- a/apparmor.d/profiles-m-r/pipewire-pulse +++ b/apparmor.d/profiles-m-r/pipewire-pulse @@ -8,8 +8,9 @@ abi , include @{exec_path} = /{usr/,}bin/pipewire-pulse -profile pipewire-pulse @{exec_path} { +profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include + include include capability sys_ptrace, @@ -18,10 +19,14 @@ profile pipewire-pulse @{exec_path} { @{exec_path} mr, + /{usr/,}bin/pactl rix, + + /var/lib/dbus/machine-id r, /etc/machine-id r, /etc/pipewire/client.conf r, /etc/pipewire/pipewire-pulse.conf r, + /etc/pipewire/pipewire-pulse.conf.d/{,*} r, /usr/share/pipewire/client.conf r, /usr/share/pipewire/pipewire-pulse.conf r, @@ -33,6 +38,7 @@ profile pipewire-pulse @{exec_path} { @{sys}/devices/virtual/dmi/id/bios_vendor r, / r, + /.flatpak-info r, include if exists } diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 8033eaf9..e44f2093 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -46,6 +46,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, + /dev/snd/ r, /dev/video[0-9]* rw, include if exists