feat(profiles): apply guideline on some profile. Update flags list.

2025-01-18 08:58:15 +01:00 · 2023-08-27 15:30:18 +01:00 · 2023-08-27 15:30:18 +01:00 · 22e57b3620
commit 22e57b3620
parent 7a5096e7d8
12 changed files with 74 additions and 83 deletions
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -19,8 +19,8 @@ include <tunables/global>
 profile sshd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/dbus-strict>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/hosts_access>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
--- a/apparmor.d/groups/systemd/loginctl
+++ b/apparmor.d/groups/systemd/loginctl
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{,usr/}bin/loginctl
+@{exec_path} = @{bin}/loginctl
 profile loginctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/profiles-a-f/btop
+++ b/apparmor.d/profiles-a-f/btop
@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{,usr/}{,local/}bin/btop
+@{exec_path} = @{bin}/btop
 profile btop @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/profiles-g-l/host
+++ b/apparmor.d/profiles-g-l/host
@ -1,16 +1,17 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{,usr/}bin/host
+@{exec_path} = @{bin}/host
 profile host @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/openssl>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  network inet dgram,
  network inet6 dgram,
@ -21,5 +22,7 @@ profile host @{exec_path} {
  owner @{PROC}/@{pids}/task/@{tid}/comm rw,
  @{sys}/kernel/mm/transparent_hugepage/enabled r,
  include if exists <local/host>
 }
--- a/apparmor.d/profiles-m-r/murmurd
+++ b/apparmor.d/profiles-m-r/murmurd
@ -1,14 +1,15 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 include <tunables/global>
-@{exec_path} = /{,usr/}{,s}bin/murmurd
+@{exec_path} = @{bin}/murmurd
 profile murmurd @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/dbus-strict>
  include <abstractions/ssl_certs>
  capability chown,
@ -31,7 +32,7 @@ profile murmurd @{exec_path} {
  @{exec_path} mr,
-  /{,usr/}bin/lsb_release Px -> lsb_release,
+  @{bin}/lsb_release rPx -> lsb_release,
  /etc/mumble-server.ini r,
--- a/apparmor.d/profiles-m-r/nvidia-detector
+++ b/apparmor.d/profiles-m-r/nvidia-detector
@ -1,15 +1,16 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{,usr/}bin/nvidia-detector
+@{exec_path} =  @{bin}/nvidia-detector
 profile nvidia-detector @{exec_path} {
  include <abstractions/base>
-  @{exec_path} r,
+  @{exec_path} mr,
  include if exists <local/nvidia-detector>
 }
--- a/apparmor.d/profiles-m-r/nvidia-persistenced
+++ b/apparmor.d/profiles-m-r/nvidia-persistenced
@ -1,21 +1,22 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{,usr/}bin/nvidia-persistenced
+@{exec_path} = @{bin}/nvidia-persistenced
 profile nvidia-persistenced @{exec_path} {
  include <abstractions/base>
  include <abstractions/nvidia>
  include <abstractions/nameservice-strict>
  include <abstractions/nvidia>
  capability chown,
  capability setgid,
  capability setuid,
-  @{exec_path} r,
+  @{exec_path} mr,
  /etc/netconfig r,
--- a/apparmor.d/profiles-m-r/pstree
+++ b/apparmor.d/profiles-m-r/pstree
@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{,usr/}bin/pstree
+@{exec_path} = @{bin}/pstree
 profile pstree @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
@ -18,11 +19,11 @@ profile pstree @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
        @{PROC} r,
-        @{PROC}/uptime r,
+        @{PROC}/@{pids}/attr/current r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/@{pids}/task/ r,
        @{PROC}/@{pids}/attr/current r,
        @{PROC}/@{pids}/task/@{tid}/stat r,
        @{PROC}/uptime r,
  owner @{PROC}/@{pid}/cmdline r,
  include if exists <local/pstree>
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@ -1,24 +1,26 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{,usr/}bin/remmina
+@{exec_path} = @{bin}/remmina
 profile remmina @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ibus>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/ssl_certs>
  include <abstractions/openssl>
  include <abstractions/freedesktop.org>
  include <abstractions/dbus-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/X-strict>
  network inet stream,
  network inet6 stream,
@ -112,33 +114,27 @@ profile remmina @{exec_path} {
  @{exec_path} r,
  /usr/share/remmina/{,**} r,
  /usr/share/themes/{,**} r,
  /etc/timezone r,
  /etc/ssh/ssh_config r,
  /etc/ssh/ssh_config.d/{,*} r,
-  /usr/share/remmina/{,**} r,
+  /etc/gtk-3.0/settings.ini r,
  owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
  owner @{user_cache_dirs}/remmina/{,**} rw,
  owner @{user_config_dirs}/autostart/remmina-applet.desktop r,
  owner @{user_config_dirs}/gtk-3.0/bookmarks r,
  owner @{user_config_dirs}/freerdp/known_hosts2 rwk,
  owner @{user_config_dirs}/gtk-3.0/bookmarks r,
  owner @{user_config_dirs}/remmina/{,**} rw,
  owner @{user_share_dirs}/remmina/{,**} rw,
  owner @{user_cache_dirs}/remmina/{,**} rw,
  owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{run}/user/@{uid}/keyring/ssh rw,
  # gtk-tiny
  /etc/gtk-3.0/settings.ini r,
  /usr/share/themes/{,**} r,
  # X-tiny
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,
  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
  /etc/X11/{,**} r,
  include if exists <local/remmina>
 }
--- a/apparmor.d/profiles-m-r/rustdesk
+++ b/apparmor.d/profiles-m-r/rustdesk
@ -50,15 +50,15 @@ profile rustdesk @{exec_path} {
  @{exec_path} mrix,
-  /{,usr/}bin/w        rPx,
+  @{bin}/w        rPx,
-  /{,usr/}bin/ps       rPx,
+  @{bin}/ps       rPx,
-  /{,usr/}bin/whoami   rPx,
+  @{bin}/whoami   rPx,
-  /{,usr/}bin/loginctl rPx,
+  @{bin}/loginctl rPx,
-  /{,usr/}bin/curl     rix,
+  @{bin}/curl     rix,
-  /{,usr/}bin/ls       rix,
+  @{bin}/ls       rix,
-  /{,usr/}bin/python3.[0-9]* rPx -> rustdesk_python,
+  @{bin}/python3.[0-9]* rPx -> rustdesk_python,
-  /{,usr/}bin/{,ba,da}sh     rPx -> rustdesk_shell,
+  @{bin}/{,ba,da}sh     rPx -> rustdesk_shell,
  /etc/gdm{,3}/custom.conf r,
@ -122,8 +122,8 @@ profile rustdesk @{exec_path} {
 #  deny /etc/passwd r,
  # It's possible to disable root-based service ('systemctl disable rustdesk.service') and use RD only on-demand (or as client-only). After that, sudo isn't necessary.
-#  deny /{,usr/}bin/sudo   x,
+#  deny @{bin}/sudo   x,
-  /{,usr/}bin/sudo rCx -> sudo,
+  @{bin}/sudo rCx -> sudo,
  profile sudo {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
@ -138,7 +138,7 @@ profile rustdesk @{exec_path} {
    network netlink raw,
-    /{,usr/}bin/sudo r,
+    @{bin}/sudo r,
    /etc/sudo.conf r,
    /etc/sudoers r,
@ -161,7 +161,7 @@ profile rustdesk @{exec_path} {
    owner @{PROC}/@{pid}/fd/ r,
    /{,usr/}{,local/}bin/rustdesk rPx,
-    /{,usr/}bin/python3.[0-9]*    rPx -> rustdesk_python,
+    @{bin}/python3.[0-9]*    rPx -> rustdesk_python,
    include if exists <local/rustdesk_sudo>
  }
@ -185,11 +185,11 @@ profile rustdesk_python {
  capability dac_read_search,
  capability dac_override,
-  /{,usr/}bin/python3.[0-9]* r,
+  @{bin}/python3.[0-9]* r,
-  /{,usr/}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
-  /{,usr/}bin/chmod rix,
+  @{bin}/chmod rix,
-  /{,usr/}bin/uname rPx,
+  @{bin}/uname rPx,
  /usr/share/rustdesk/files/pynput_service.py rPx,
  /usr/local/lib/python3.[0-9]*/dist-packages/pynput/{,**} r,
@ -218,16 +218,16 @@ profile rustdesk_shell {
  ptrace (read),
-  /{,usr/}bin/{,ba,da}sh r,
+  @{bin}/{,ba,da}sh r,
-  /{,usr/}bin/tr       rix,
+  @{bin}/tr       rix,
-  /{,usr/}bin/{,e}grep rix,
+  @{bin}/{,e}grep rix,
-  /{,usr/}bin/tail     rix,
+  @{bin}/tail     rix,
-  /{,usr/}bin/xargs    rix,
+  @{bin}/xargs    rix,
-  /{,usr/}bin/sed      rix,
+  @{bin}/sed      rix,
-  /{,usr/}bin/cat      rix,
+  @{bin}/cat      rix,
-  /{,usr/}bin/ps rPx,
+  @{bin}/ps rPx,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/environ r,
--- a/apparmor.d/profiles-s-z/ss
+++ b/apparmor.d/profiles-s-z/ss
@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{,usr/}bin/ss
+@{exec_path} = @{bin}/ss
 profile ss @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -3,39 +3,23 @@
 acpid attach_disconnected,complain
 agetty complain
 akonadi_agent_launcher complain
 akonadi_agent_server complain
 akonadi_akonotes_resource complain
 akonadi_archivemail_agent complain
 akonadi_birthdays_resource complain
-akonadi_ews_resource complain
+akonadi_contacts_resource complain
-akonadi_ewsmta_resource complain
+akonadi_control complain
 akonadi_followupreminder_agent complain
 akonadi_google_resource complain
 akonadi_ical_resource complain
 akonadi_icaldir_resource complain
 akonadi_imap_resource complain
 akonadi_indexing_agent complain
 akonadi_knut_resource complain
 akonadi_kolab_resource complain
 akonadi_maildir_resource complain
 akonadi_maildispatcher_agent complain
 akonadi_mailfilter_agent complain
 akonadi_mailmerge_agent complain
 akonadi_mbox_resource complain
 akonadi_migration_agent complain
 akonadi_mixedmaildir_resource complain
 akonadi_newmailnotifier_agent complain
 akonadi_notes_agent complain
 akonadi_notes_resource complain
 akonadi_openxchange_resource complain
 akonadi_pop3_resource complain
 akonadi_rds complain
 akonadi_sendlater_agent complain
 akonadi_tomboynotes_resource complain
 akonadi_unifiedmailbox_agent complain
 akonadi_vcard_resource complain
 akonadi_vcarddir_resource complain
 anacron complain
 atd complain
 atril-previewer complain
@ -50,6 +34,7 @@ avahi-set-host-name complain
 baloo complain
 busctl complain
 cc-remote-login-helper complain
 kiod5 complain
 cfdisk complain
 cgdisk complain
 child-open complain
@ -89,6 +74,7 @@ dolphin complain
 downloadhelper complain
 drkonqi complain
 e2fsck complain
 epiphany-webapp-provider complain
 etckeeper complain
 evince complain
 evince-previewer complain