From 23312c1640fffbbed3fe96d21d297435e5c633ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Jan 2023 22:00:10 +0000 Subject: [PATCH] feat(profile): ensure compatibility with userspace tools. --- apparmor.d/groups/bus/ibus-portal | 2 +- .../groups/freedesktop/xdg-document-portal | 2 +- .../groups/freedesktop/xdg-permission-store | 2 +- apparmor.d/groups/gnome/gjs-console | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 4 +- apparmor.d/groups/gnome/goa-daemon | 2 +- apparmor.d/groups/gnome/goa-identity-service | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-rfkill | 2 +- apparmor.d/groups/gnome/gsd-screensaver-proxy | 2 +- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- .../groups/gvfs/gvfs-afc-volume-monitor | 2 +- .../groups/gvfs/gvfs-goa-volume-monitor | 2 +- .../groups/gvfs/gvfs-gphoto2-volume-monitor | 2 +- .../groups/gvfs/gvfs-mtp-volume-monitor | 2 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfsd | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/mullvad-gui | 2 +- .../profiles-a-f/appimage-beyond-all-reason | 112 ------------------ apparmor.d/profiles-m-r/nft | 2 +- 23 files changed, 23 insertions(+), 135 deletions(-) delete mode 100644 apparmor.d/profiles-a-f/appimage-beyond-all-reason diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 40c87491..1e87044b 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -20,7 +20,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 15adce72..2549c008 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -36,7 +36,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { member=GetMountPoint peer=(name=:*, label="{snap,xdg-desktop-portal}"), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 0f698afc..d5becb1e 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -31,7 +31,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { member=Lookup peer=(name=:*, label="{gnome-shell,xdg-desktop-portal}"), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 7c65e51e..c494aded 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -61,7 +61,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { member={ActiveChanged,WakeUpScreen,GetActive} peer=(name=:*, label="{gnome-shell,gnome-session-binary,xdg-desktop-portal-*}"), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index ff55a217..68d4d93b 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -123,7 +123,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member=GetAddress peer=(name=org.a11y.Bus), # all peer's labels - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 57264c75..bca241e3 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -229,7 +229,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { member={GetAll,GetResources,Set} peer=(name=:*, label="{gsd-power,gsd-color,xdg-desktop-portal-*}"), - dbus receive bus=session path={/org/gnome/Shell/Screenshot,/org/gnome/Shell/Introspect,/org/gtk/Notifications,/org/gnome/Mutter/RemoteDesktop,/org/gnome/Mutter/ScreenCast} + dbus receive bus=session path=/org/{gnome/Shell/Screenshot,gnome/Shell/Introspect,gtk/Notifications,gnome/Mutter/RemoteDesktop,gnome/Mutter/ScreenCast} interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:* label=xdg-desktop-portal-*), @@ -334,7 +334,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*), # all paths and peer's labels - dbus receive bus=session path={/,/org,/StatusNotifierWatcher} + dbus receive bus=session path=/{,org,StatusNotifierWatcher} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), # itself diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index e7eed0bd..22c6ce5a 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -48,7 +48,7 @@ profile goa-daemon @{exec_path} { member=GetManagedObjects peer=(name=:*, label="{gvfs-goa-volume-monitor,goa-daemon,goa-identity-service,unconfined}"), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index a92b8685..b84fa33d 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -27,7 +27,7 @@ profile goa-identity-service @{exec_path} { member=GetManagedObjects peer=(name=:*, label=goa-daemon), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index ba966ed9..057690b6 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -47,7 +47,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { member={CancelEndSession,QueryEndSession,EndSession,Stop} peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 6c62686c..afb8db67 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -76,7 +76,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { member=PropertiesChanged peer=(name=org.freedesktop.DBus, label=gnome-shell), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index e92ec8f6..c7063ae5 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -43,7 +43,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index b1a529b1..c47b27d4 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -91,7 +91,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=StopUnit peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 0c90c4da..5e071756 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -66,7 +66,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { member=Query peer=(name=:*, label=tracker-extract), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 2ec86270..605753ed 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -22,7 +22,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { member={List,IsSupported} peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), - dbus receive bus=session path={/,/org/gtk/Private/RemoteVolumeMonitor} + dbus receive bus=session path=/{,org/gtk/Private/RemoteVolumeMonitor} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 67c24489..4916e751 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -22,7 +22,7 @@ profile gvfs-goa-volume-monitor @{exec_path} { member={List,IsSupported} peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), - dbus receive bus=session path={/,/org/gtk/Private/RemoteVolumeMonitor} + dbus receive bus=session path=/{,org/gtk/Private/RemoteVolumeMonitor} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 04446437..ab113d66 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -26,7 +26,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { member={List,IsSupported} peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), - dbus receive bus=session path={/,/org,/org/gtk/Private/RemoteVolumeMonitor} + dbus receive bus=session path=/{,org/,org/gtk/Private/RemoteVolumeMonitor} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index cc6ba3de..ee7a9f33 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -25,7 +25,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { member={List,IsSupported} peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), - dbus receive bus=session path={/,/org,/org/gtk/Private/RemoteVolumeMonitor} + dbus receive bus=session path=/{,org/,org/gtk/Private/RemoteVolumeMonitor} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 49bb73fb..6b36ed5a 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -48,7 +48,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { member={List,IsSupported} peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 55f5cb9a..b6c7590b 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -43,7 +43,7 @@ profile gvfsd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd-*), - dbus receive bus=session path={/,/org} + dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 46d0bccd..269609b4 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/mullvad-daemon -@{exec_path} += "/opt/Mullvad VPN/resources/mullvad-daemon" +@{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 6036e041..7f1f122c 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -6,7 +6,7 @@ abi , include -@{exec_path} = "/opt/Mullvad VPN/mullvad-gui" +@{exec_path} = /opt/Mullvad*/mullvad-gui profile mullvad-gui @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/appimage-beyond-all-reason b/apparmor.d/profiles-a-f/appimage-beyond-all-reason deleted file mode 100644 index dd72bbee..00000000 --- a/apparmor.d/profiles-a-f/appimage-beyond-all-reason +++ /dev/null @@ -1,112 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = "/home/*/@{XDG_DESKTOP_DIR}/Beyond All Reason.AppImage" -@{exec_path} += /home/*/@{XDG_DESKTOP_DIR}/BeyondAllReason.AppImage -profile appimage-beyond-all-reason @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability sys_ptrace, - - network netlink raw, - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - @{exec_path} mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/xmessage rix, - - /{usr/,}bin/x86_64-linux-gnu-addr2line rix, - - /{usr/,}bin/fusermount{,3} rCx -> fusermount, - - mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/, - - /tmp/.mount_Beyond*/ rw, - /tmp/.mount_Beyond*/beyond-all-reason rix, - /tmp/.mount_Beyond*/AppRun rix, - /tmp/.mount_Beyond*/bin/* rix, - /tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix, - /tmp/.mount_Beyond*/** r, - /tmp/.mount_Beyond*/**.so{,.[0-9]*} mr, - - owner @{user_config_dirs}/Beyond-All-Reason/ rw, - owner @{user_config_dirs}/Beyond-All-Reason/** rwk, - - owner "@{HOME}/Beyond All Reason/" rw, - owner "@{HOME}/Beyond All Reason/**" rwkm, - owner "@{HOME}/Beyond All Reason/engine/**/spring" rix, - - owner @{HOME}/.spring/ rw, - owner @{HOME}/.spring/** rw, - - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - deny owner @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/statm r, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, - owner @{PROC}/@{pid}/oom_{,score_}adj r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj w, - @{PROC}sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - - @{sys}/bus/pci/devices/ r, - @{sys}/devices/pci[0-9]*/**/class r, - @{sys}/devices/virtual/tty/tty0/active r, - - /dev/fuse rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - - profile fusermount { - include - include - - # To mount anything: - capability sys_admin, - - capability dac_read_search, - - /{usr/,}bin/fusermount{,3} mr, - - mount fstype={fuse,fuse.*.AppImage} -> /tmp/.mount_*/, - umount /tmp/.mount_*/, - - /dev/fuse rw, - - /etc/fuse.conf r, - - owner @{HOME}/**.AppImage r, - owner @{MOUNTS}/*/**.AppImage r, - - @{PROC}/@{pid}/mounts r, - - } - - include if exists -} diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index 8a2a8aa7..047a0863 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -16,7 +16,7 @@ profile nft @{exec_path} { network netlink raw, - ptrace(read), + ptrace (read), @{exec_path} mr,