feat(abs): general improvment.

This commit is contained in:
Alexandre Pujol 2024-10-01 17:29:49 +01:00
parent 63888f07a7
commit 21e8456383
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
9 changed files with 56 additions and 30 deletions

View File

@ -11,8 +11,8 @@
# Sandbox managers # Sandbox managers
@{bin}/bwrap rPUx, @{bin}/bwrap rPUx,
@{bin}/firejail rPUx, @{bin}/firejail rPUx,
@{bin}/flatpak rPUx, @{bin}/flatpak rPx,
@{bin}/snap rPUx, @{bin}/snap rPx,
# Labeled programs # Labeled programs
@{archive_viewers_path} rPUx, @{archive_viewers_path} rPUx,

View File

@ -4,7 +4,13 @@
include <abstractions/consoles> include <abstractions/consoles>
@{bin}/kmod mr, @{bin}/depmod mr,
@{bin}/insmod mr,
@{bin}/kmod mr,
@{bin}/lsmod mr,
@{bin}/modinfo mr,
@{bin}/modprobe mr,
@{bin}/rmmod mr,
@{lib}/modprobe.d/ r, @{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r, @{lib}/modprobe.d/*.conf r,

View File

@ -57,7 +57,6 @@
@{PROC}/@{pid}/limits r, @{PROC}/@{pid}/limits r,
@{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/ngroups_max r,
@{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/sys/kernel/seccomp/actions_avail r,
/dev/ r, /dev/ r,

View File

@ -20,8 +20,6 @@
ptrace (readby) peer=systemd-coredump, ptrace (readby) peer=systemd-coredump,
/usr/share/locale/ r,
@{etc_rw}/localtime r, @{etc_rw}/localtime r,
/etc/locale.conf r, /etc/locale.conf r,

View File

@ -50,6 +50,7 @@
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{user_config_dirs}/electron-flags.conf r,
owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
@ -87,6 +88,8 @@
owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <abstractions/common/electron.d> include if exists <abstractions/common/electron.d>
# vim:syntax=apparmor # vim:syntax=apparmor

View File

@ -5,6 +5,7 @@
# Minimal set of rules for all gnome based UI application. # Minimal set of rules for all gnome based UI application.
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/graphics> include <abstractions/graphics>

View File

@ -11,42 +11,56 @@
# The only legitimate use in this project is for file browser and search engine. # The only legitimate use in this project is for file browser and search engine.
deny @{HOME}/.*.bak mrwkl, # User defined private directories
deny @{HOME}/.*.swp mrwkl, deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
deny @{HOME}/.*~ mrwkl, deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk,
deny @{HOME}/.*~1~ mrwkl, deny @{user_private_dirs}/{,**} mrxwlk,
# Files with secret paswords and tokens
deny @{HOME}/.*age*{,/{,**}} mrwkl, deny @{HOME}/.*age*{,/{,**}} mrwkl,
deny @{HOME}/.*aws*{,/{,**}} mrwkl, deny @{HOME}/.*aws*{,/{,**}} mrwkl,
deny @{HOME}/.*cert*{,/{,**}} mrwkl, deny @{HOME}/.*cert*{,/{,**}} mrwkl,
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.*key*{,/{,**}} mrwkl, deny @{HOME}/.*key*{,/{,**}} mrwkl,
deny @{HOME}/.*pass*{,/{,**}} mrwkl, deny @{HOME}/.*pass*{,/{,**}} mrwkl,
deny @{HOME}/.*pki*{,/{,**}} mrwkl, deny @{HOME}/.*pki*{,/{,**}} mrwkl,
deny @{HOME}/.*private*{,/{,**}} mrwkl, deny @{HOME}/.*private*{,/{,**}} mrwkl,
deny @{HOME}/.*secret*{,/{,**}} mrwkl, deny @{HOME}/.*secret*{,/{,**}} mrwkl,
deny @{HOME}/.*yubi*{,/{,**}} mrwkl, deny @{HOME}/.*yubi*{,/{,**}} mrwkl,
deny @{HOME}/.fetchmail* mrwkl, deny @{HOME}/.aws/{,**} mrwkl,
deny @{HOME}/.lesshst* mrwkl, deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
deny @{HOME}/.mozilla/{,**} mrwkl,
deny @{HOME}/.mutt* mrwkl,
deny @{HOME}/.thunderbird/{,**} mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.wget-hsts mrwkl,
deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl,
deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl,
deny @{run}/user/@{uid}/keyring** mrwkl,
deny @{user_config_dirs}/*-store/{,**} mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl,
deny @{user_config_dirs}/chromium/{,**} mrwkl,
deny @{user_password_store_dirs}/{,**} mrwkl, deny @{user_password_store_dirs}/{,**} mrwkl,
deny @{user_share_dirs}/kwalletd/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl,
# User defined private directories # Privacy violations
deny @{user_private_dirs}/{,**} mrxwlk, deny @{HOME}/.*.bak mrwkl,
deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, deny @{HOME}/.*.swp mrwkl,
deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*~1~ mrwkl,
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.evolution/{,**} mrwkl,
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.gnome2_private/{,**} mrwkl,
deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
deny @{HOME}/.lesshst* mrwkl,
deny @{HOME}/.mozilla/{,**} mrwkl,
deny @{HOME}/.mutt** mrwkl,
deny @{HOME}/.thunderbird/{,**} mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.wget-hsts mrwkl,
deny @{user_config_dirs}/chromium/{,**} mrwkl,
deny @{user_config_dirs}/evolution/{,**} mrwkl,
# Deny executable mapping in writable space as allowed in abstractions/fonts # Deny executable mapping in writable space as allowed in abstractions/fonts
deny @{HOME}/.{,cache/}fontconfig/ rw, deny @{HOME}/.{,cache/}fontconfig/ rw,
deny @{HOME}/.{,cache/}fontconfig/** mrwl, deny @{HOME}/.{,cache/}fontconfig/** mrwl,
# special attention to (potentially) executable files
deny @{HOME}/bin wl,
deny @{HOME}/bin/{,**} wl,
include if exists <abstractions/deny-sensitive-home.d> include if exists <abstractions/deny-sensitive-home.d>

View File

@ -5,7 +5,11 @@
# Extra Mesa rules for desktop environments # Extra Mesa rules for desktop environments
owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/ w,
owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw,
owner @{desktop_cache_dirs}/mesa_shader_cache_db/index rw,
owner @{desktop_cache_dirs}/mesa_shader_cache_db/marker rw,
owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw,
owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk,
owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk,
owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,

View File

@ -4,11 +4,12 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
@{bin}/ r, @{bin}/ r,
@{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, @{python_path} r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr, owner @{user_lib_dirs}/@{python_name}/ r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r, owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r,
owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r,
# vim:syntax=apparmor # vim:syntax=apparmor