feat(profile): modernize some profiles.

2024-11-14 23:43:56 +01:00 · 2024-10-02 13:46:30 +01:00 · 2024-10-02 13:46:30 +01:00 · 239ae17119
commit 239ae17119
parent 28a2892be0
15 changed files with 28 additions and 58 deletions
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -14,18 +14,13 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {

  signal (receive) set=(term, hup) peer=gdm*,

-  dbus bind bus=session name=org.freedesktop.portal.IBus,
+  #aa:dbus own bus=session name=org.freedesktop.portal.IBus

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

-  dbus receive bus=session path=/org/freedesktop/IBus
-       interface=org.freedesktop.DBus.Peer
-       member=Ping 
-       peer=(name=:*, label=ibus-daemon),
-
  @{exec_path} mr,

  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-email
 profile xdg-email @{exec_path} flags=(complain) {
  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/freedesktop.org>

  @{exec_path}  r,

--- a/apparmor.d/groups/freedesktop/xdg-icon-resource
+++ b/apparmor.d/groups/freedesktop/xdg-icon-resource
@ -12,6 +12,7 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
+  include <abstractions/freedesktop.org>

  @{exec_path} r,

--- a/apparmor.d/groups/freedesktop/xdg-screensaver
+++ b/apparmor.d/groups/freedesktop/xdg-screensaver
@ -11,6 +11,7 @@ include <tunables/global>
 profile xdg-screensaver @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/freedesktop.org>

  @{exec_path} r,

--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@ -14,10 +14,7 @@ profile gnome-control-center-search-provider @{exec_path} {
  include <abstractions/gnome-strict>
  include <abstractions/graphics>

-  dbus bind bus=session name=org.gnome.Settings.SearchProvider,
-  dbus receive bus=session path=/org/gnome/Settings/SearchProvider
-       interface=org.gnome.Shell.SearchProvider2
-       peer=(name=:*, label=gnome-shell),
+  #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -21,10 +21,7 @@ profile seahorse @{exec_path} {
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>

-  dbus bind bus=session name=org.gnome.seahorse.Application,
-  dbus receive bus=session path=/org/gnome/seahorse/Application
-       interface=org.gnome.Shell.SearchProvider2
-       peer=(name=:*),
+  #aa:dbus own bus=session name=org.gnome.seahorse.Application

  @{exec_path} mr,

--- a/apparmor.d/groups/kde/systemsettings
+++ b/apparmor.d/groups/kde/systemsettings
@ -84,7 +84,6 @@ profile systemsettings @{exec_path} {
  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk,
  owner @{user_config_dirs}/emaildefaults r,
-  owner @{user_config_dirs}/kactivitymanagerdrc r,
  owner @{user_config_dirs}/kde.org/{,**} rwlk,
  owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
  owner @{user_config_dirs}/kdedefaults/plasmarc r,
@ -111,6 +110,11 @@ profile systemsettings @{exec_path} {
  owner @{user_share_dirs}/systemsettings/** rwlk,
  owner @{user_share_dirs}/wallpapers/{,**} r,

+  owner @{user_state_dirs}/#@{int} rw,
+  owner @{user_state_dirs}/systemsettingsstaterc rw,
+  owner @{user_state_dirs}/systemsettingsstaterc.@{rand6} rwlk,
+  owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk,
+
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

@ -123,9 +127,10 @@ profile systemsettings @{exec_path} {
  @{sys}/firmware/acpi/pm_profile r,

        @{PROC}/interrupts r,
-  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,

  /dev/ r,
  /dev/bus/usb/ r,
--- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan
+++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
@ -14,7 +14,7 @@ profile cron-ubuntu-fan @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,da,ba}sh  rix,
+  @{sh_path}         rix,
  @{bin}/fanctl      rix,
  @{bin}/flock       rix,
  @{bin}/grep        rix,
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@ -20,35 +20,15 @@ profile software-properties-gtk @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/python>

-  dbus bind bus=session name=com.ubuntu.SoftwareProperties,
-  dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties
-       interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}}
-       peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk),
-  dbus send bus=system path=/
-       interface=com.ubuntu.SoftwareProperties
-       peer=(name=:*, label=software-properties-dbus),
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*),
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects
-       peer=(name=:*, label=ubuntu-advantage-desktop-daemon),
-
-  dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=ubuntu-advantage-desktop-daemon),
+  #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties
+  #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon

  @{exec_path} mr,

  @{bin}/ r,

+  @{sh_path}                      rix,
  @{bin}/python3.@{int}           r,
-  @{bin}/{,da,ba}sh               rix,
  @{bin}/aplay                    rPx,
  @{bin}/apt-key                  rPx,
  @{bin}/dpkg                     rPx -> child-dpkg,
@ -73,9 +53,9 @@ profile software-properties-gtk @{exec_path} {
  /var/crash/*software-properties-gtk.@{uid}.crash rw,
  /var/lib/ubuntu-advantage/status.json r,

-  owner @{tmp}/???????? rw,
-  owner @{tmp}/tmp????????/ rw, # change to 'c'
-  owner @{tmp}/tmp????????/apt.conf rw,
+  owner @{tmp}/@{word8} rw,
+  owner @{tmp}/tmp@{word8}/ rw,
+  owner @{tmp}/tmp@{word8}/apt.conf rw,

  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

--- a/apparmor.d/groups/ubuntu/subiquity-console-conf
+++ b/apparmor.d/groups/ubuntu/subiquity-console-conf
@ -22,7 +22,7 @@ profile subiquity-console-conf @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,da,ba}sh  rix,
+  @{sh_path}         rix,
  @{bin}/cat         rix,
  @{bin}/grep        rix,
  @{bin}/ip          rix,
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
@ -14,17 +14,8 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected)

  capability sys_nice,

-  dbus bind bus=system name=com.canonical.UbuntuAdvantage,
-
-  dbus receive bus=system path=/
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects
-       peer=(name=:*, label=software-properties-gtk),
-
-  dbus receive bus=system
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=software-properties-gtk),
+  #aa:dbus own bus=system name=com.canonical.UbuntuAdvantage
+  #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties label=software-properties-gtk

  @{exec_path} mr,

--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -60,6 +60,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/                    /var/lib/docker/tmp/**/,

  ptrace read peer=docker-*,
+  ptrace read peer=runc,
  ptrace read peer=unconfined,

  signal send set=int  peer=docker-proxy,
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -135,7 +135,7 @@ profile qbittorrent @{exec_path} {

    owner @{user_torrents_dirs}/** r,

-    owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int},  # unconventional '_' tail
+    owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/@{int},
    owner /dev/shm/* rw,

    owner @{tmp}/@{int} rw,
--- a/apparmor.d/profiles-m-r/repo
+++ b/apparmor.d/profiles-m-r/repo
@ -51,7 +51,7 @@ profile repo @{exec_path} {
  owner @{tmp}/ssh-*/ rw,

  owner /dev/shm/* rw,
-  owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*,  # unconventional '_' tail
+  owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/*,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -24,7 +24,7 @@ profile wireplumber @{exec_path} {
  network bluetooth stream,
  network netlink raw,

-  dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0,
+  #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable