From 239d5efe63285b2b8a7d006d0867e20a2133f0e1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 7 May 2024 16:19:29 +0100 Subject: [PATCH] feat(profile): general update. --- .../groups/children/child-modprobe-nvidia | 1 + .../groups/freedesktop/xdg-desktop-portal-gtk | 5 ---- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/gnome/gsd-printer | 2 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 1 + apparmor.d/groups/kde/kstart | 4 +-- apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/pacman/mkinitcpio | 29 +++---------------- apparmor.d/profiles-a-f/borg | 7 ++--- .../profiles-a-f/flatpak-session-helper | 2 +- apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-m-r/pam-tmpdir-helper | 1 + apparmor.d/profiles-s-z/syncthing | 6 ++-- apparmor.d/profiles-s-z/xdpyinfo | 6 +--- 14 files changed, 22 insertions(+), 46 deletions(-) diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 61c6d609..582d7b19 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -25,6 +25,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { capability fsetid, capability mknod, capability sys_admin, + capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 171a7185..05c8be3b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -57,11 +57,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner /var/lib/xkb/server-@{int}.xkm rw, - owner @{HOME}/ r, - owner @{HOME}/.* r, - owner @{HOME}/.icons/{,**} r, - owner @{HOME}/@{XDG_DATA_DIR}/ r, - owner @{tmp}/runtime-*/xauth_@{rand6} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 95afc8fc..5d11a8fd 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -94,6 +94,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.pam_environment r, + @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index eca2916d..22c67e4a 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -19,7 +19,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=com.redhat.NewPrinterNotification #aa:dbus own bus=system name=com.redhat.PrinterDriversInstaller - + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 3d7f9863..b9ed61ba 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -49,6 +49,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { /etc/fstab r, # Mount points + @{MOUNTS}/ r, @{MOUNTS}/**/ r, @{HOME}/**/ r, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 1080978c..c6429485 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -13,8 +13,9 @@ profile kstart @{exec_path} flags=(attach_disconnected) { include include include - include include + include + include include @{exec_path} mr, @@ -22,7 +23,6 @@ profile kstart @{exec_path} flags=(attach_disconnected) { @{bin}/** rPUx, @{bin}/konsole rPx, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 038105d8..75fa7727 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -44,7 +44,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1.Manager label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index ba8f69d4..c61d68bb 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -23,40 +23,18 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} rmix, @{sh_path} rix, - @{bin}/{m,g,}awk rix, + @{coreutils_path} rix, @{bin}/bsdtar rix, - @{bin}/cat rix, - @{bin}/cp rix, - @{bin}/dd rix, - @{bin}/dirname rix, @{bin}/fc-match rix, - @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/fsck rix, @{bin}/getent rix, - @{bin}/grep rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{bin}/install rix, @{bin}/ldconfig rix, @{bin}/ldd rix, - @{bin}/ln rix, @{bin}/loadkeys rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/od rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/stat rix, - @{bin}/sync rix, - @{bin}/tee rix, - @{bin}/touch rix, @{bin}/tput rix, - @{bin}/uname rix, - @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zcat rix, @{bin}/zstd rix, @@ -106,9 +84,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Temp files owner @{run}/initramfs/{,**} rw, - owner @{run}/mkinitcpio.@{rand6}/{,**} rw, + owner @{run}/mkinitcpio.@{rand6}/{,**} rwl, owner @{tmp}/mkinitcpio.@{rand6} rw, - owner @{tmp}/mkinitcpio.@{rand6}/{,**} rw, + owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl, + owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl, @{sys}/class/block/ r, @{sys}/devices/{,**} r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 9703dcb6..739d1847 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -16,8 +16,6 @@ profile borg @{exec_path} { capability dac_override, capability dac_read_search, - capability fowner, - capability sys_admin, network inet dgram, network inet6 dgram, @@ -77,6 +75,7 @@ profile borg @{exec_path} { owner /var/tmp/tmp*/idx rw, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, /dev/fuse rw, @@ -103,8 +102,8 @@ profile borg @{exec_path} { capability sys_admin, - mount fstype=fuse borgfs -> @{MOUNTS}/, - mount fstype=fuse borgfs -> @{MOUNTS}/*/, + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 02dcab0f..4d347cc8 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -25,7 +25,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, @{bin}/ps rPx, @{bin}/p11-kit rix, - @{bin}/pkexec rPx, + @{bin}/pkexec rPx, # TODO: too wide, rCx. @{lib}/p11-kit/p11-kit-remote rix, @{lib}/p11-kit/p11-kit-server rix, /var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index a3d46cb3..7315c550 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -61,6 +61,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { owner @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 5ca95200..1c0836c1 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -19,6 +19,7 @@ profile pam-tmpdir-helper @{exec_path} { owner @{tmp}/ rw, /dev/ptmx rw, + /dev/tty@{int} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 416e64e3..f669e73d 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -38,8 +38,10 @@ profile syncthing @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/@{pids}/net/route r, + @{PROC}/@{pids}/net/route r, + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-s-z/xdpyinfo b/apparmor.d/profiles-s-z/xdpyinfo index 54fdafa9..2bad9b33 100644 --- a/apparmor.d/profiles-s-z/xdpyinfo +++ b/apparmor.d/profiles-s-z/xdpyinfo @@ -10,13 +10,9 @@ include @{exec_path} = @{bin}/xdpyinfo profile xdpyinfo @{exec_path} { include + include @{exec_path} mr, - owner @{HOME}/.Xauthority r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - include if exists }