commit 244b2c88a2ccdc631c4034579809b1ccd05147ab Author: Mikhail Morfikov Date: Sat Sep 12 17:19:23 2020 +0200 move apparmor profiles to a seperate repo diff --git a/apparmor.d/abstractions/X b/apparmor.d/abstractions/X new file mode 100644 index 00000000..5c9a4b20 --- /dev/null +++ b/apparmor.d/abstractions/X @@ -0,0 +1,63 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + #include + + + # .ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, + + # .Xauthority files required for X connections, per user + owner @{HOME}/.Xauthority r, + owner @{HOME}/.local/share/sddm/.Xauthority r, + owner /{,var/}run/gdm{,3}/*/database r, + owner /{,var/}run/lightdm/authority/[0-9]* r, + owner /{,var/}run/lightdm/*/xauthority r, + owner /{,var/}run/user/*/gdm/Xauthority r, + owner /{,var/}run/user/*/X11/Xauthority r, + + # the unix socket to use to connect to the display + /tmp/.X11-unix/* rw, + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + + /usr/include/X11/ r, + /usr/include/X11/** r, + + # The X tree changes and is large -- grant read access to the whole thing + /usr/X11R6/** r, + /usr/share/X11/ r, + /usr/share/X11/** r, + /usr/X11R6/**.so* mr, + + # EGL + /usr/lib/@{multiarch}/egl/*.so* mr, + + # Xcompose + owner @{HOME}/.XCompose r, + + # mouse themes + /etc/X11/cursors/ r, + /etc/X11/cursors/** r, + + # Xwayland + owner /run/user/*/.mutter-Xwaylandauth.* r, + + # Available Xsessions + /usr/share/xsessions/{,*.desktop} r, diff --git a/apparmor.d/abstractions/apache2-common b/apparmor.d/abstractions/apache2-common new file mode 100644 index 00000000..850dd89c --- /dev/null +++ b/apparmor.d/abstractions/apache2-common @@ -0,0 +1,34 @@ +# vim:syntax=apparmor + +# This file contains basic permissions for Apache and every vHost + + #include + + # Allow unconfined processes to send us signals by default + signal (receive) peer=unconfined, + # Allow apache to send us signals by default + signal (receive) peer=apache2, + # Allow other hats to signal by default + signal peer=apache2//*, + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Apache + network inet stream, + network inet6 stream, + # apache manual, error pages and icons + /usr/share/apache2/** r, + + # changehat itself + @{PROC}/@{pid}/attr/current rw, + + # htaccess files - for what ever it is worth + /**/.htaccess r, + + /dev/urandom r, + + # sasl-auth + /run/saslauthd/mux rw, + + # OCSP stapling + /var/log/apache2/stapling-cache rw, diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root new file mode 100644 index 00000000..f22be049 --- /dev/null +++ b/apparmor.d/abstractions/app-launcher-root @@ -0,0 +1,18 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + # Root app location + / r, + /usr/ r, + /{usr/,}sbin/ r, + /{usr/,}sbin/[a-z0-9]* rPUx, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user new file mode 100644 index 00000000..7ef7b994 --- /dev/null +++ b/apparmor.d/abstractions/app-launcher-user @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + # User app location + / r, + /usr/ r, + /{usr/,}bin/ r, + /{usr/,}bin/[a-z0-9]* rPUx, + + # Firefox + /{usr/,}lib/ r, + /{usr/,}lib/firefox/ r, + /{usr/,}lib/firefox/firefox* rPx, + + # Google Chrome + /opt/ r, + /opt/google/ r, + /opt/google/chrome{,-beta,-unstable}/ r, + /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} rPx, + + # Brave + /opt/brave.com/ r, + /opt/brave.com/brave{,-beta,-dev}/ r, + /opt/brave.com/brave{,-beta,-dev}/brave-browser{,-beta,-dev} rPx, + + # Discord + /usr/share/ r, + /usr/share/discord/ r, + /usr/share/discord/Discord rPx, + + # FreeTube + /opt/FreeTube/ r, + /opt/FreeTube/freetube rPx, + /opt/FreeTube-Vue/ r, + /opt/FreeTube-Vue/freetube-vue rPx, diff --git a/apparmor.d/abstractions/apparmor_api/change_profile b/apparmor.d/abstractions/apparmor_api/change_profile new file mode 100644 index 00000000..30f6b704 --- /dev/null +++ b/apparmor.d/abstractions/apparmor_api/change_profile @@ -0,0 +1,11 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +@{PROC}/@{tid}/attr/{current,exec} w, diff --git a/apparmor.d/abstractions/apparmor_api/examine b/apparmor.d/abstractions/apparmor_api/examine new file mode 100644 index 00000000..2f2ea15a --- /dev/null +++ b/apparmor.d/abstractions/apparmor_api/examine @@ -0,0 +1,12 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. + +@{PROC}/@{pids}/attr/{current,prev,exec} r, diff --git a/apparmor.d/abstractions/apparmor_api/find_mountpoint b/apparmor.d/abstractions/apparmor_api/find_mountpoint new file mode 100644 index 00000000..b8ac54d1 --- /dev/null +++ b/apparmor.d/abstractions/apparmor_api/find_mountpoint @@ -0,0 +1,14 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#permissions needed for aa_find_mountpoint + +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. + +@{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/abstractions/apparmor_api/introspect b/apparmor.d/abstractions/apparmor_api/introspect new file mode 100644 index 00000000..e110c849 --- /dev/null +++ b/apparmor.d/abstractions/apparmor_api/introspect @@ -0,0 +1,12 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. + +@{PROC}/@{tid}/attr/{current,prev,exec} r, diff --git a/apparmor.d/abstractions/apparmor_api/is_enabled b/apparmor.d/abstractions/apparmor_api/is_enabled new file mode 100644 index 00000000..a637d3ce --- /dev/null +++ b/apparmor.d/abstractions/apparmor_api/is_enabled @@ -0,0 +1,17 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# permissions needed for aa_is_enabled + +# Make sure to include tunables/apparmorfs and tunables/global +# when using this abstraction + +#include +@{sys}/module/apparmor/parameters/enabled r, + +# TODO: add alternate apparmorfs interface for enabled diff --git a/apparmor.d/abstractions/apt-common b/apparmor.d/abstractions/apt-common new file mode 100644 index 00000000..996abfe9 --- /dev/null +++ b/apparmor.d/abstractions/apt-common @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, + + /etc/apt/preferences r, + /etc/apt/preferences.d/{,*} r, + + /etc/apt/sources.list r, + /etc/apt/sources.list.d/{,*.list} r, + + /var/lib/apt/lists/{,**} r, + /var/lib/apt/extended_states r, + + /var/cache/apt/pkgcache.bin r, + /var/cache/apt/srcpkgcache.bin r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/dpkg/status r, + + owner /tmp/clearsigned.message.* rw, + owner /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/abstractions/aspell b/apparmor.d/abstractions/aspell new file mode 100644 index 00000000..95476892 --- /dev/null +++ b/apparmor.d/abstractions/aspell @@ -0,0 +1,13 @@ +# vim:syntax=apparmor +# aspell permissions + + # per-user settings and dictionaries + owner @{HOME}/.aspell.*.{pws,prepl} rwk, + + # system libraries and dictionaries + /usr/lib/aspell/ r, + /usr/lib/aspell/* r, + /usr/lib/aspell/*.so m, + /usr/share/aspell/ r, + /usr/share/aspell/* r, + /var/lib/aspell/* r, diff --git a/apparmor.d/abstractions/audio b/apparmor.d/abstractions/audio new file mode 100644 index 00000000..f1ad356f --- /dev/null +++ b/apparmor.d/abstractions/audio @@ -0,0 +1,88 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + + +/dev/admmidi* rw, +/dev/adsp* rw, +/dev/aload* rw, +/dev/amidi* rw, +/dev/audio* rw, +/dev/dmfm* rw, +/dev/dmmidi* rw, +/dev/dsp* rw, +/dev/midi* rw, +/dev/mixer* rw, +/dev/mpu401data rw, +/dev/mpu401stat rw, +/dev/patmgr* rw, +/dev/phone* rw, +/dev/radio* rw, +/dev/rmidi* rw, +/dev/sequencer rw, +/dev/sequencer2 rw, +/dev/smpte* rw, + +/dev/snd/* rw, +/dev/sound/* rw, + +@{PROC}/asound/** rw, + +/usr/share/alsa/** r, +/usr/share/sounds/ r, +/usr/share/sounds/** r, + +owner @{HOME}/.esd_auth r, +/etc/asound.conf r, +owner @{HOME}/.asoundrc r, +/etc/esound/esd.conf r, + +# libao +/etc/libao.conf r, +owner @{HOME}/.libao r, + +# libcanberra +owner @{HOME}/.cache/event-sound-cache.* rwk, + +# pulse +/etc/pulse/ r, +/etc/pulse/** r, +/{run,dev}/shm/ r, +owner /{run,dev}/shm/pulse-shm* rwk, +owner @{HOME}/.pulse-cookie rwk, +owner @{HOME}/.pulse/ rw, +owner @{HOME}/.pulse/* rwk, +owner /{,var/}run/user/*/pulse/ rw, +owner /{,var/}run/user/*/pulse/{native,pid} rwk, +owner @{HOME}/.config/pulse/*.conf r, +owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r, +owner @{HOME}/.config/pulse/cookie rwk, +owner /tmp/pulse-*/ rw, +owner /tmp/pulse-*/* rw, + +# PulseAudio module-ladspa-sink (plugin sc4m_1916) +/usr/lib/ladspa/ r, +/usr/lib/ladspa/*.so mr, + +# libgnome2 +/etc/sound/ r, +/etc/sound/** r, + +# openal +/etc/alsa/conf.d/{,*} r, +/etc/openal/alsoft.conf r, +owner @{HOME}/.alsoftrc r, +/usr/{,local/}share/openal/hrtf/{,**} r, +owner @{HOME}/.local/share/openal/hrtf/{,**} r, + +# wildmidi +/etc/wildmidi/wildmidi.cfg r, diff --git a/apparmor.d/abstractions/authentication b/apparmor.d/abstractions/authentication new file mode 100644 index 00000000..75771ecd --- /dev/null +++ b/apparmor.d/abstractions/authentication @@ -0,0 +1,52 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2012 Canonical Ltd +# Copyright (C) 2019 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + + + # Some services need to perform authentication of users + # Such authentication almost certainly needs access to the local users + # databases containing passwords, PAM configuration files, PAM libraries + /{usr/,}etc/nologin r, + /{usr/,}etc/pam.d/* r, + /{usr/,}etc/securetty r, + /{usr/,}etc/security/* r, + /{usr/,}etc/shadow r, + /{usr/,}etc/gshadow r, + /{usr/,}etc/pwdb.conf r, + + /{usr/,}lib{,32,64}/security/pam_filter/* mr, + /{usr/,}lib{,32,64}/security/pam_*.so mr, + /{usr/,}lib{,32,64}/security/ r, + /{usr/,}lib/@{multiarch}/security/pam_filter/* mr, + /{usr/,}lib/@{multiarch}/security/pam_*.so mr, + /{usr/,}lib/@{multiarch}/security/ r, + + # kerberos + #include + # SuSE's pwdutils are different: + /{usr/,}etc/default/passwd r, + /{usr/,}etc/login.defs r, + + # nis + #include + + # winbind + #include + + # likewise + #include + + # smbpass + #include + + # p11-kit (PKCS#11 modules configuration) + #include diff --git a/apparmor.d/abstractions/base b/apparmor.d/abstractions/base new file mode 100644 index 00000000..dff09125 --- /dev/null +++ b/apparmor.d/abstractions/base @@ -0,0 +1,182 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + + + # (Note that the ldd profile has inlined this file; if you make + # modifications here, please consider including them in the ldd + # profile as well.) + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + /dev/random r, + /dev/urandom r, + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + /run/uuidd/request r, + /etc/locale/** r, + /etc/locale.alias r, + /etc/localtime r, + /etc/writable/localtime r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/**/locale/** r, + /usr/share/zoneinfo/ r, + /usr/share/zoneinfo/** r, + /usr/share/X11/locale/** r, + /run/systemd/journal/dev-log w, + # systemd native journal API (see sd_journal_print(4)) + /run/systemd/journal/socket w, + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + /run/systemd/journal/stdout rw, + + /usr/lib{,32,64}/locale/** mr, + /usr/lib{,32,64}/gconv/*.so mr, + /usr/lib{,32,64}/gconv/gconv-modules* mr, + /usr/lib/@{multiarch}/gconv/*.so mr, + /usr/lib/@{multiarch}/gconv/gconv-modules* mr, + + # used by glibc when binding to ephemeral ports + /etc/bindresvport.blacklist r, + + # ld.so.cache and ld are used to load shared libraries; they are best + # available everywhere + /etc/ld.so.cache mr, + /etc/ld.so.conf r, + /etc/ld.so.conf.d/{,*.conf} r, + /etc/ld.so.preload r, + /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr, + /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr, + /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr, + /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr, + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + # we might as well allow everything to use common libraries + /{usr/,}lib{,32,64}/** r, + /{usr/,}lib{,32,64}/**.so* mr, + /{usr/,}lib/@{multiarch}/** r, + /{usr/,}lib/@{multiarch}/**.so* mr, + /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr, + /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr, + + # /dev/null is pretty harmless and frequently used + /dev/null rw, + # as is /dev/zero + /dev/zero rw, + # recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + # Depending on which glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # glibc's sysconf(3) routine to determine free memory, etc + @{PROC}/meminfo r, + @{PROC}/stat r, + @{PROC}/cpuinfo r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + + # glibc's *printf protections read the maps file + @{PROC}/@{pid}/{maps,auxv,status} r, + + # libgcrypt reads some flags from /proc + @{PROC}/sys/crypto/* r, + + # some applications will display license information + /usr/share/common-licenses/** r, + + # glibc statvfs + @{PROC}/filesystems r, + + # glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace (readby) ... + ptrace (readby), + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace (tracedby) ... + ptrace (tracedby), + + # Allow us to ptrace read ourselves + ptrace (read) peer=@{profile_name}, + + # Allow unconfined processes to send us signals by default + signal (receive) peer=unconfined, + + # Allow to receive some signals + signal (receive) peer=top, + signal (receive) peer=htop, + signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown, + signal (receive) set=(term,kill) peer=openbox, + signal (receive) set=(hup) peer=xinit, + signal (receive) set=(term,kill) peer=su, + signal (receive) peer=sudo, + + # Allow to write a user defined fifo log devices + owner /dev/log-xsession w, + owner /dev/log-gnupg w, + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=("exists"), + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix (receive) peer=(label=unconfined), + + # Allow us to create abstract and anonymous sockets + unix (create), + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked + # filesystems generally. This does not appreciably decrease security with + # Ubuntu profiles because the user is expected to have access to files owned + # by him/her. Exceptions to this are explicit in the profiles. While this rule + # grants access to those exceptions, the intended privacy is maintained due to + # the encrypted contents of the files in this directory. Files in this + # directory will also use filename encryption by default, so the files are + # further protected. Also, with the use of 'owner', this rule properly + # prevents access to the files from processes running under a different uid. + + # encrypted ~/.Private and old-style encrypted $HOME + #owner @{HOME}/.Private/ r, + #owner @{HOME}/.Private/** mrixwlk, + # new-style encrypted $HOME + #owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, + #owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, + diff --git a/apparmor.d/abstractions/bash b/apparmor.d/abstractions/bash new file mode 100644 index 00000000..e8dcd75c --- /dev/null +++ b/apparmor.d/abstractions/bash @@ -0,0 +1,44 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # user-specific bash files + @{HOMEDIRS} r, + @{HOME}/.bashrc r, + @{HOME}/.profile r, + @{HOME}/.bash_profile r, + @{HOME}/.bash_history rw, + + # system-wide bash configuration + /etc/profile.dos r, + /etc/profile r, + /etc/profile.d/ r, + /etc/profile.d/* r, + /etc/bashrc r, + /etc/bash.bashrc r, + /etc/bash.bashrc.local r, + /etc/bash_completion r, + /etc/bash_completion.d/ r, + /etc/bash_completion.d/* r, + + # bash relies on system-wide readline configuration + /etc/inputrc r, + + # bash inspects filesystems at startup + /etc/mtab r, + @{PROC}/@{pid}/mounts r, + @{PROC}/filesystems r, + + # probably readline wants to know terminal capabilities + /usr/share/terminfo/** r, + + # run out of /etc/bash.bashrc + /etc/DIR_COLORS r, + /{usr/,}bin/ls mix, + /usr/bin/dircolors mix, diff --git a/apparmor.d/abstractions/consoles b/apparmor.d/abstractions/consoles new file mode 100644 index 00000000..a16dffe0 --- /dev/null +++ b/apparmor.d/abstractions/consoles @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + + + # there are three common ways to refer to consoles + /dev/console rw, + /dev/tty rw, + # this next entry is a tad unfortunate; /dev/tty will always be + # associated with the controlling terminal by the kernel, but if a + # program uses the /dev/pts/ interface, it actually has access to + # -all- xterm, sshd, etc, terminals on the system. + /dev/pts/[0-9]* rw, + /dev/pts/ r, + + /dev/ptmx rw, diff --git a/apparmor.d/abstractions/cups-client b/apparmor.d/abstractions/cups-client new file mode 100644 index 00000000..f38ac097 --- /dev/null +++ b/apparmor.d/abstractions/cups-client @@ -0,0 +1,18 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # discoverable system configuration for non-local cupsd + /etc/cups/client.conf r, + # client should be able to talk the local cupsd + /{,var/}run/cups/cups.sock rw, + # client should be able to read user-specified cups configuration + owner @{HOME}/.cups/client.conf r, + owner @{HOME}/.cups/lpoptions r, diff --git a/apparmor.d/abstractions/dbus b/apparmor.d/abstractions/dbus new file mode 100644 index 00000000..c670fc2d --- /dev/null +++ b/apparmor.d/abstractions/dbus @@ -0,0 +1,16 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2013 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # This abstraction grants full system bus access. Consider using the + # dbus-strict abstraction for fine-grained bus mediation. + + #include + dbus bus=system, diff --git a/apparmor.d/abstractions/dbus-accessibility b/apparmor.d/abstractions/dbus-accessibility new file mode 100644 index 00000000..40a33084 --- /dev/null +++ b/apparmor.d/abstractions/dbus-accessibility @@ -0,0 +1,16 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # This abstraction grants full accessibility bus access. Consider using the + # dbus-accessibility-strict abstraction for fine-grained bus mediation. + + #include + dbus bus=accessibility, diff --git a/apparmor.d/abstractions/dbus-accessibility-strict b/apparmor.d/abstractions/dbus-accessibility-strict new file mode 100644 index 00000000..a853ce20 --- /dev/null +++ b/apparmor.d/abstractions/dbus-accessibility-strict @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + dbus send + bus=accessibility + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus), diff --git a/apparmor.d/abstractions/dbus-session b/apparmor.d/abstractions/dbus-session new file mode 100644 index 00000000..eb1ed91e --- /dev/null +++ b/apparmor.d/abstractions/dbus-session @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2011-2013 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # This abstraction grants full session bus access. Consider using the + # dbus-session-strict abstraction for fine-grained bus mediation. + + #include + /usr/bin/dbus-launch ix, + dbus bus=session, diff --git a/apparmor.d/abstractions/dbus-session-strict b/apparmor.d/abstractions/dbus-session-strict new file mode 100644 index 00000000..1600554a --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2011-2013 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # unique per-machine identifier + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner /run/user/*/bus rw, + + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/dbus-*"), + + # dbus with systemd and --enable-user-session + owner /run/user/[0-9]*/bus rw, + + dbus send + bus=session + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus), diff --git a/apparmor.d/abstractions/dbus-strict b/apparmor.d/abstractions/dbus-strict new file mode 100644 index 00000000..01a426e4 --- /dev/null +++ b/apparmor.d/abstractions/dbus-strict @@ -0,0 +1,19 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2013 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /{,var/}run/dbus/system_bus_socket rw, + + dbus send + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus), diff --git a/apparmor.d/abstractions/dconf b/apparmor.d/abstractions/dconf new file mode 100644 index 00000000..7ef69783 --- /dev/null +++ b/apparmor.d/abstractions/dconf @@ -0,0 +1,8 @@ +# vim:syntax=apparmor + +# permissions for querying dconf settings; granting write access should +# be specified in a specific application's profile. + + /etc/dconf/** r, + owner /{,var/}run/user/*/dconf/user r, + owner @{HOME}/.config/dconf/user r, diff --git a/apparmor.d/abstractions/deny-dconf b/apparmor.d/abstractions/deny-dconf new file mode 100644 index 00000000..9cfea1e7 --- /dev/null +++ b/apparmor.d/abstractions/deny-dconf @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + deny /etc/dconf/{,**} r, + + # When this is blocked, expect lots of the following errors: + # dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. + # dconf will not work properly. + deny owner /{var/,}run/user/[0-9]*/dconf/{,**} rw, + + deny owner @{HOME}/.config/dconf/{,**} rw, + deny owner @{HOME}/.cache/dconf/{,**} rw, + + # When GSETTINGS_BACKEND=keyfile + deny owner @{HOME}/.config/glib-2.0/ rw, + deny owner @{HOME}/.config/glib-2.0/settings/ rw, + deny owner @{HOME}/.config/glib-2.0/settings/keyfile rw, + deny owner @{HOME}/.config/glib-2.0/settings/.goutputstream-* rw, diff --git a/apparmor.d/abstractions/deny-root-dir-access b/apparmor.d/abstractions/deny-root-dir-access new file mode 100644 index 00000000..9e26510f --- /dev/null +++ b/apparmor.d/abstractions/deny-root-dir-access @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining + # access to the /root/ dir and its subdirectories. If you don't want to start an app as the super + # user (possibly by mistake), just include this abstraction in the app's AppArmor profile. + # + # Note that some apps will work anyway when run as root even if all of the files in the /root/ + # are denied. Anyway, most of the apps refuse to start when they don't get the access to the + # needed files in the user home dir. + + #abi , + + # Use audit for now to see whether some apps are trying to get access to the /root/ dir. + audit deny /root/{,**} rwkmlx, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read new file mode 100644 index 00000000..2ef3363e --- /dev/null +++ b/apparmor.d/abstractions/disks-read @@ -0,0 +1,86 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + # The /sys/ entries probably should be tightened + + /dev/ r, + + # Regular disk/partition devices + /dev/sd[a-z] rk, + /dev/sd[a-z][0-9]* rk, + @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r, + @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r, + @{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r, + + # SD card devices + /dev/mmcblk[0-9]* rk, + /dev/mmcblk[0-9]*p[0-9]* rk, + @{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r, + @{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r, + @{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r, + @{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r, + + # Loop devices + /dev/loop[0-9]* rk, + /dev/loop[0-9]*p[0-9]* rk, + @{sys}/devices/virtual/block/loop[0-9]*/ r, + @{sys}/devices/virtual/block/loop[0-9]*/** r, + + # LUKS/LVM (device-mapper) devices + /dev/dm-[0-9]* rk, + @{sys}/devices/virtual/block/dm-[0-9]*/ r, + @{sys}/devices/virtual/block/dm-[0-9]*/** r, + + # ZRAM devices + /dev/zram[0-9]* rk, + @{sys}/devices/virtual/block/zram[0-9]*/ r, + @{sys}/devices/virtual/block/zram[0-9]*/** r, + + # CD-ROM + /dev/sr[0-9]* rk, + + @{sys}/class/block/ r, + @{sys}/block/ r, + # To be able to look up each block device by major:minor numbers + @{sys}/dev/block/ r, + + # According to the kernel docs[1], the major block numbers from 240 to 254 are allocated + # dynamically by the kernel for devices which don't have official numbers assigned. It looks like + # that "dm" (device mapper) and "zram" are such devices. To avoid issues when kernel config + # changes, it's better to allow the whole range (240-254) instead of the single major numbers + # visible in the /proc/devices file. + # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt + /{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + + /{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk* + /{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr* + /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd* + /{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop* + + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + + /{var/,}run/udev/data/+usb:* r, # for ? diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write new file mode 100644 index 00000000..c6932073 --- /dev/null +++ b/apparmor.d/abstractions/disks-write @@ -0,0 +1,86 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + # The /sys/ entries probably should be tightened + + /dev/ r, + + # Regular disk/partition devices + /dev/sd[a-z] rwk, + /dev/sd[a-z][0-9]* rwk, + @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r, + @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r, + @{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r, + + # SD card devices + /dev/mmcblk[0-9]* rwk, + /dev/mmcblk[0-9]*p[0-9]* rwk, + @{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r, + @{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r, + @{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r, + @{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r, + + # Loop devices + /dev/loop[0-9]* rwk, + /dev/loop[0-9]*p[0-9]* rwk, + @{sys}/devices/virtual/block/loop[0-9]*/ r, + @{sys}/devices/virtual/block/loop[0-9]*/** r, + + # LUKS/LVM (device-mapper) devices + /dev/dm-[0-9]* rwk, + @{sys}/devices/virtual/block/dm-[0-9]*/ r, + @{sys}/devices/virtual/block/dm-[0-9]*/** r, + + # ZRAM devices + /dev/zram[0-9]* rwk, + @{sys}/devices/virtual/block/zram[0-9]*/ r, + @{sys}/devices/virtual/block/zram[0-9]*/** r, + + # CD-ROM + /dev/sr[0-9]* rwk, + + @{sys}/class/block/ r, + @{sys}/block/ r, + # To be able to look up each block device by major:minor numbers + @{sys}/dev/block/ r, + + # According to the kernel docs[1], the major block numbers from 240 to 254 are allocated + # dynamically by the kernel for devices which don't have official numbers assigned. It looks like + # that "dm" (device mapper) and "zram" are such devices. To avoid issues when kernel config + # changes, it's better to allow the whole range (240-254) instead of the single major numbers + # visible in the /proc/devices file. + # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt + /{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices + /{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + + /{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk* + /{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr* + /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd* + /{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop* + + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + + /{var/,}run/udev/data/+usb:* r, # for ? diff --git a/apparmor.d/abstractions/dovecot-common b/apparmor.d/abstractions/dovecot-common new file mode 100644 index 00000000..e1681d9a --- /dev/null +++ b/apparmor.d/abstractions/dovecot-common @@ -0,0 +1,19 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2014 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# used with dovecot/* + + capability setgid, + + deny capability block_suspend, + + # dovecot's master can send us signals + signal receive peer=dovecot, + + /{var/,}run/dovecot/config rw, diff --git a/apparmor.d/abstractions/dri-common b/apparmor.d/abstractions/dri-common new file mode 100644 index 00000000..b5e0a5c5 --- /dev/null +++ b/apparmor.d/abstractions/dri-common @@ -0,0 +1,14 @@ +# vim:syntax=apparmor + +# This file contains common DRI-specific rules useful for GUI applications +# (needed by libdrm and similar). + + /usr/lib{,32,64}/dri/** mr, + /usr/lib/@{multiarch}/dri/** mr, + /usr/lib/fglrx/dri/** mr, + /dev/dri/ r, + /dev/dri/** rw, + /etc/drirc r, + /usr/share/drirc.d/{,*.conf} r, + owner @{HOME}/.drirc r, + diff --git a/apparmor.d/abstractions/dri-enumerate b/apparmor.d/abstractions/dri-enumerate new file mode 100644 index 00000000..e101be5c --- /dev/null +++ b/apparmor.d/abstractions/dri-enumerate @@ -0,0 +1,8 @@ +# vim:syntax=apparmor + +# This file contains common DRI-specific rules useful for GUI applications that +# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from +# libdrm). + + @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, + diff --git a/apparmor.d/abstractions/enchant b/apparmor.d/abstractions/enchant new file mode 100644 index 00000000..d0ff0852 --- /dev/null +++ b/apparmor.d/abstractions/enchant @@ -0,0 +1,57 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # abstraction for Enchant spellchecking frontend + + /usr/share/enchant/ r, + /usr/share/enchant/enchant.ordering r, + /usr/share/enchant-[0-9]*/enchant.ordering r, + + # aspell + #include + /var/lib/dictionaries-common/aspell/ r, + /var/lib/dictionaries-common/aspell/* r, + + # hspell + /usr/share/hspell/ r, + /usr/share/hspell/*.wgz.* r, + + # hunspell + /usr/share/hunspell/ r, + /usr/share/hunspell/* r, + + # ispell + /usr/lib/ispell/ r, + /usr/lib/ispell/*.hash r, + /usr/share/dict/ r, + /usr/share/dict/* r, + /var/lib/dictionaries-common/ r, + /var/lib/dictionaries-common/{ispell,wordlist}/ r, + /var/lib/dictionaries-common/{ispell,wordlist}/* r, + + # myspell + /usr/share/myspell/ r, + /usr/share/myspell/** r, + + # voikko + /usr/lib/voikko/ r, + /usr/lib/voikko/2/ r, + /usr/lib/voikko/2/mor-standard/ r, + /usr/lib/voikko/2/mor-standard/voikko* r, + + # zemberek + /usr/share/java/ r, + /usr/share/java/zemberek-[0-9]*.jar r, + /usr/share/java/zemberek-tr-[0-9]*.jar r, + + # per-user dictionaries + owner @{HOME}/.config/enchant/ rw, + owner @{HOME}/.config/enchant/* rwk, diff --git a/apparmor.d/abstractions/evince b/apparmor.d/abstractions/evince new file mode 100644 index 00000000..e6a5757f --- /dev/null +++ b/apparmor.d/abstractions/evince @@ -0,0 +1,124 @@ +# vim:syntax=apparmor +# +# abstraction used by evince binaries +# + + #include + #include + #include + + @{PROC}/[0-9]*/fd/ r, + @{PROC}/[0-9]*/mountinfo r, + owner @{PROC}/[0-9]*/auxv r, + owner @{PROC}/[0-9]*/status r, + + # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. + # Possibly move to an abstraction if anything else needs it. + deny /run/udev/data/** r, + + # move out to the gnome abstraction if anyone else needs these + /dev/.udev/{data,db}/* r, + /etc/udev/udev.conf r, + /sys/devices/**/block/**/uevent r, + + # apport + /etc/default/apport r, + + # XFCE + /etc/xfce4/defaults.list r, + + # Lubuntu + /etc/xdg/lubuntu/applications/defaults.list r, + + # evince specific + /etc/ r, + /etc/fstab r, + /etc/texmf/ r, + /etc/texmf/** r, + /etc/xpdf/* r, + owner @{HOME}/.config/evince/ rw, + owner @{HOME}/.config/evince/** rwkl, + + /usr/bin/gs-esp ixr, + /usr/bin/mktexpk Cx -> sanitized_helper, + /usr/bin/mktextfm Cx -> sanitized_helper, + /usr/bin/dvipdfm Cx -> sanitized_helper, + /usr/bin/dvipdfmx Cx -> sanitized_helper, + + # supported archivers + /bin/gzip ixr, + /bin/bzip2 ixr, + /usr/bin/unrar* ixr, + /usr/bin/unzip ixr, + /usr/bin/7zr ixr, + /usr/lib/p7zip/7zr ixr, + /usr/bin/7za ixr, + /usr/lib/p7zip/7za ixr, + /usr/bin/zipnote ixr, + /bin/tar ixr, + /usr/bin/xz ixr, + + # allow read access to anything in /usr/share, for plugins and input methods + /usr/local/share/** r, + /usr/share/** r, + /usr/lib/ghostscript/** mr, + /var/lib/ghostscript/** r, + /var/lib/texmf/** r, + + # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow + # read for all supported file formats + /**.[bB][mM][pP] r, + /**.[dD][jJ][vV][uU] r, + /**.[dD][vV][iI] r, + /**.[gG][iI][fF] r, + /**.[jJ][pP][gG] r, + /**.[jJ][pP][eE][gG] r, + /**.[oO][dD][pP] r, + /**.[fFpP][dD][fF] r, + /**.[pP][nN][mM] r, + /**.[pP][nN][gG] r, + /**.[pP][sS] r, + /**.[eE][pP][sS] r, + /**.[eE][pP][sS][fFiI23] r, + /**.[tT][iI][fF] r, + /**.[tT][iI][fF][fF] r, + /**.[xX][pP][mM] r, + /**.[gG][zZ] r, + /**.[bB][zZ]2 r, + /**.[cC][bB][rRzZ7] r, + /**.[xX][zZ] r, + + # Use abstractions/private-files instead of abstractions/private-files-strict + # and add the sensitive files manually to work around LP: #451422. The goal + # is to disallow access to the .mozilla folder in general, but to allow + # access to the Cache directory, which the browser may tell evince to open + # from directly. + + #include + audit deny @{HOME}/.gnupg/** mrwkl, + audit deny @{HOME}/.ssh/** mrwkl, + audit deny @{HOME}/.gnome2_private/** mrwkl, + audit deny @{HOME}/.gnome2/keyrings/** mrwkl, + audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl, + audit deny @{HOME}/.pki/nssdb/** w, + + audit deny @{HOME}/.mozilla/*/*/* mrwkl, + audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl, + audit deny @{HOME}/.mozilla/**/chrome/** mrwkl, + audit deny @{HOME}/.mozilla/**/extensions/** mrwkl, + audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl, + + audit deny @{HOME}/.config/chromium/** mrwkl, + audit deny @{HOME}/.evolution/** mrwkl, + audit deny @{HOME}/.config/evolution/** mrwkl, + audit deny @{HOME}/.kde/share/config/** mrwkl, + audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl, + + # When LP: #451422 is fixed, change the above to simply be: + ##include + #owner @{HOME}/.mozilla/**/*Cache/* r, + + # Site-specific additions and overrides. See local/README for details. + #include diff --git a/apparmor.d/abstractions/exo-open b/apparmor.d/abstractions/exo-open new file mode 100644 index 00000000..466fa65b --- /dev/null +++ b/apparmor.d/abstractions/exo-open @@ -0,0 +1,71 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via exo-open helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/exo-open directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/exo-open rPx -> foo//exo-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//exo-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # Add if accesibility access is considered as required +# # (for message boxe in case exo-open fails) +# #include +# +# # < add additional allowed applications here > +# } + + #include + #include # for alert messages + #include + #include + #include + + # Main executables + + /usr/bin/exo-open rix, + /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix, + + # Other executables + + /{,usr/}bin/which rix, + + # Deny DBus + + # for GTK error message dialog, not required exo-open to work. + deny dbus send + bus=session + path=/org/gtk/vfs/mounttracker, + + # System files + + /etc/xdg/{,xdg-*/}xfce4/helpers.rc r, + /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction? + /usr/share/sounds/freedesktop/** r, # for message box alert sound + /usr/share/xfce4/helpers/*.desktop r, + /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r, + + # User files + owner @{HOME}/.local/share/xfce4/helpers/*.desktop r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{HOME}/.config/xfce4/helpers.rc r, diff --git a/apparmor.d/abstractions/fcitx b/apparmor.d/abstractions/fcitx new file mode 100644 index 00000000..3d26cc95 --- /dev/null +++ b/apparmor.d/abstractions/fcitx @@ -0,0 +1,13 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #include + dbus bus=fcitx, diff --git a/apparmor.d/abstractions/fcitx-strict b/apparmor.d/abstractions/fcitx-strict new file mode 100644 index 00000000..d7737341 --- /dev/null +++ b/apparmor.d/abstractions/fcitx-strict @@ -0,0 +1,21 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #include + + dbus send + bus=fcitx + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus), + + owner @{HOME}/.config/fcitx/dbus/* r, diff --git a/apparmor.d/abstractions/file-browsing-strict b/apparmor.d/abstractions/file-browsing-strict new file mode 100644 index 00000000..838dc1d1 --- /dev/null +++ b/apparmor.d/abstractions/file-browsing-strict @@ -0,0 +1,20 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + deny @{PROC}/@{pid}/mountinfo r, + deny @{PROC}/@{pid}/mounts r, + + # Usually, apps shouldn't view this file + deny /etc/fstab r, + + deny /dev/disk/*/ r, diff --git a/apparmor.d/abstractions/flatpak-snap b/apparmor.d/abstractions/flatpak-snap new file mode 100644 index 00000000..47fbbbd8 --- /dev/null +++ b/apparmor.d/abstractions/flatpak-snap @@ -0,0 +1,27 @@ +# kate: syntax AppArmor Security Profile +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018 Nibaldo Gonzalez +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + # Flatpak + /var/lib/flatpak/exports/share/{,**} r, + /var/lib/flatpak/app/**/export/share/applications/{,*.desktop} r, + + owner @{HOME}/.local/share/flatpak/exports/share/{,**} r, + owner @{HOME}/.local/share/flatpak/app/{,**.desktop} r, + deny owner @{HOME}/.local/share/flatpak/** w, + + # Snap + /var/lib/snapd/desktop/applications/mimeinfo.cache r, + /var/lib/snapd/desktop/applications/*.desktop r, + /var/lib/snapd/desktop/applications/ r, diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read new file mode 100644 index 00000000..ce89f38d --- /dev/null +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + # The fontconfig cache can be generated via the following command: + # $ fc-cache -f -v + # There's no need to give apps the ability to create cache for their own. Apps can generate the + # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use + # the "fontconfig-cache-write" abstraction. + + owner @{HOME}/.cache/fontconfig/ r, + deny @{HOME}/.cache/fontconfig/ w, + deny @{HOME}/.cache/fontconfig/** w, + owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r, + owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + + owner @{HOME}/.fontconfig/ r, + deny @{HOME}/.fontconfig/ w, + deny @{HOME}/.fontconfig/** w, + owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r, + owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + + /var/cache/fontconfig/ r, + deny /var/cache/fontconfig/ w, + deny /var/cache/fontconfig/** w, + /var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r, + /var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + + # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to + # identify the font directory and is used to determine the cache filename if available. + owner /usr/local/share/fonts/.uuid r, + deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w, + /usr/share/**/.uuid r, + deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write new file mode 100644 index 00000000..81c118a5 --- /dev/null +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + owner @{HOME}/.cache/fontconfig/ rw, + owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, + owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, + + owner @{HOME}/.fontconfig/ rw, + owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, + owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, + + # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to + # identify the font directory and is used to determine the cache filename if available. + owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw, + link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*, + /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r, + deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, diff --git a/apparmor.d/abstractions/fonts b/apparmor.d/abstractions/fonts new file mode 100644 index 00000000..e34fb0cc --- /dev/null +++ b/apparmor.d/abstractions/fonts @@ -0,0 +1,62 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /usr/share/AbiSuite/fonts/** r, + + /usr/lib/xorg/modules/fonts/**.so* mr, + + /usr/share/fonts/ r, + /usr/share/fonts/** r, + /usr/share/fonts-*/{,**} r, + + /etc/fonts/** r, + # Debian, openSUSE paths are different + /usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r, + /usr/share/ghostscript/fonts/{,**} r, + + /opt/kde3/share/fonts/** r, + + /usr/lib{,32,64}/openoffice/share/fonts/** r, + + /var/cache/fonts/** r, + /var/cache/fontconfig/** mr, + /var/lib/defoma/** mr, + + /usr/share/a2ps/fonts/** r, + /usr/share/xfce/fonts/** r, + /usr/share/ghostscript/fonts/** r, + /usr/share/javascript/*/fonts/** r, + /usr/share/texmf/{,*/}fonts/** r, + /usr/share/texlive/texmf-dist/fonts/** r, + /var/lib/ghostscript/** r, + + owner @{HOME}/.fonts.conf r, + owner @{HOME}/.fonts/ r, + owner @{HOME}/.fonts/** r, + owner @{HOME}/.local/share/fonts/ r, + owner @{HOME}/.local/share/fonts/** r, + owner @{HOME}/.fonts.cache-2 mr, + owner @{HOME}/.{,cache/}fontconfig/ rw, + owner @{HOME}/.{,cache/}fontconfig/** mrl, + owner @{HOME}/.fonts.conf.d/ r, + owner @{HOME}/.fonts.conf.d/** r, + owner @{HOME}/.config/fontconfig/ r, + owner @{HOME}/.config/fontconfig/** r, + + /usr/local/share/fonts/ r, + /usr/local/share/fonts/** r, + + # poppler CMap tables + /usr/share/poppler/cMap/** r, + + # data files for LibThai + /usr/share/libthai/thbrk.tri r, diff --git a/apparmor.d/abstractions/freedesktop.org b/apparmor.d/abstractions/freedesktop.org new file mode 100644 index 00000000..2ffaaf99 --- /dev/null +++ b/apparmor.d/abstractions/freedesktop.org @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # system configuration + @{system_share_dirs}/applications/{**,} r, + @{system_share_dirs}/icons/{**,} r, + @{system_share_dirs}/pixmaps/{**,} r, + + # this should probably go elsewhere + @{system_share_dirs}/mime/** r, + + # per-user configurations + owner @{HOME}/.icons/{**,} r, + owner @{HOME}/.recently-used.xbel* rw, + owner @{HOME}/.local/share/recently-used.xbel* rw, + owner @{HOME}/.config/user-dirs.dirs r, + owner @{HOME}/.config/mimeapps.list r, + owner @{user_share_dirs}/applications/{**,} r, + owner @{user_share_dirs}/icons/{**,} r, + owner @{user_share_dirs}/mime/{**,} r, diff --git a/apparmor.d/abstractions/fzf b/apparmor.d/abstractions/fzf new file mode 100644 index 00000000..a45de60a --- /dev/null +++ b/apparmor.d/abstractions/fzf @@ -0,0 +1,16 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + owner @{HOME}/.fzf/{,**} r, + + owner @{HOME}/.fzf.* r, diff --git a/apparmor.d/abstractions/gio-open b/apparmor.d/abstractions/gio-open new file mode 100644 index 00000000..91c866df --- /dev/null +++ b/apparmor.d/abstractions/gio-open @@ -0,0 +1,54 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via gio helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/gio directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/gio rPx -> foo//gio-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//gio-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } + + #include + #include + + # Main executables + + /usr/bin/gio rix, + /usr/bin/gio-launch-desktop ix, # for OpenSUSE + /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix, + + # System files + + /etc/gnome/defaults.list r, + /usr/share/mime/* r, + /usr/share/{,*/}applications/{,**} r, + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, + /var/lib/snapd/desktop/applications/{,**} r, + + # User files + + owner @{HOME}/.config/mimeapps.list r, + owner @{HOME}/.local/share/applications/{,*.desktop} r, + owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/abstractions/gnome b/apparmor.d/abstractions/gnome new file mode 100644 index 00000000..65811c04 --- /dev/null +++ b/apparmor.d/abstractions/gnome @@ -0,0 +1,109 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +#include +#include +#include +#include +#include +#include +#include + + # systemwide gtk defaults + /etc/gnome/gtkrc* r, + /etc/gtk/* r, + /usr/lib{,32,64}/gtk/** mr, + /usr/lib/@{multiarch}/gtk/** mr, + /usr/lib{,32,64}/gtk-[0-9]*/** mr, + /usr/lib/@{multiarch}/gtk-[0-9]*/** mr, + /usr/share/themes/ r, + /usr/share/themes/** r, + + # for gnome 1 applications + /etc/orbitrc r, + + # gtk-2 needed some new rights + /etc/fonts/* r, + /etc/gtk-*/* r, + /etc/pango/* r, + /usr/lib{,32,64}/pango/** mr, + /usr/lib{,32,64}/gtk-*/** mr, + /usr/lib{,32,64}/gdk-pixbuf-*/** mr, + /usr/lib/@{multiarch}/pango/** mr, + /usr/lib/@{multiarch}/gtk-*/** mr, + /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr, + + # per-user gtk configuration + owner @{HOME}/.config/gtk-3.0/ w, + owner @{HOME}/.config/gtk-3.0/* r, + owner @{HOME}/.gnome/Gnome r, + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + owner @{HOME}/.themes/ r, + owner @{HOME}/.themes/** r, + owner @{user_share_dirs}/themes/ r, + owner @{user_share_dirs}/themes/** r, + + # for gtk file dialog + owner @{HOME}/.config/gtk-2.0/ w, + owner @{HOME}/.config/gtk-2.0/** r, + owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw, + + # from evolution-mail + owner @{HOME}/.gconfd/lock/* r, + owner @{HOME}/.gnome/application-info r, + + # per-user font business + owner @{HOME}/.fonts.cache-* rwl, + + # GtkComposeTable + owner @{HOME}/.cache/gtk-3.0/** r, + + # icon caches + /var/cache/**/icon-theme.cache r, + /usr/share/**/icon-theme.cache r, + + # GLib schemas + /usr/{local/,}share/glib-[0-9]*/schemas/ r, + /usr/{local/,}share/glib-[0-9]*/schemas/** r, + + # gnome VFS modules + /etc/gnome-vfs-2.0/modules/ r, + /etc/gnome-vfs-2.0/modules/* r, + /usr/lib/gnome-vfs-2.0/modules/*.so mr, + /usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr, + + # gvfs + /usr/share/gvfs/remote-volume-monitors/ r, + /usr/share/gvfs/remote-volume-monitors/* r, + @{PROC}/@{pid}/mounts r, + + # printing + /etc/papersize r, + /etc/cups/lpoptions r, + /usr/share/cups/charmaps/** r, + + # holds MIT-MAGIC-COOKIE for gnome + owner /{,var/}run/gdm/auth*/database r, + + # mime-types + /etc/gnome/defaults.list r, + /etc/xdg/{,*-}mimeapps.list r, + /usr/share/gnome/applications/ r, + /usr/share/gnome/applications/mimeinfo.cache r, + + # Allow connecting to the GNOME vfs socket (still need corresponding DBus + # rules) + unix (send, receive, connect) + type=stream + peer=(addr="@/dbus-vfs-daemon/socket-*"), diff --git a/apparmor.d/abstractions/gnupg b/apparmor.d/abstractions/gnupg new file mode 100644 index 00000000..d04c920d --- /dev/null +++ b/apparmor.d/abstractions/gnupg @@ -0,0 +1,11 @@ +# vim:syntax=apparmor +# gnupg sub-process running permissions + + # user configurations + owner @{HOME}/.gnupg/options r, + owner @{HOME}/.gnupg/pubring.gpg r, + owner @{HOME}/.gnupg/pubring.kbx r, + owner @{HOME}/.gnupg/random_seed rw, + owner @{HOME}/.gnupg/secring.gpg r, + owner @{HOME}/.gnupg/so/*.x86_64 mr, + owner @{HOME}/.gnupg/trustdb.gpg rw, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer new file mode 100644 index 00000000..00f1ac81 --- /dev/null +++ b/apparmor.d/abstractions/gstreamer @@ -0,0 +1,45 @@ +# vim:syntax=apparmor + + #include + #include + #include + + # TODO: adjust when support finer-grained netlink rules + network netlink raw, + + /etc/udev/udev.conf r, + /etc/wildmidi/wildmidi.cfg r, + + /dev/ r, + /dev/bus/usb/ r, + /dev/dri/ r, + + # /dev/shm is a symlink to /run/shm on ubuntu + owner /{dev,run}/shm/shmfd-* rw, + + /run/udev/data/c* r, + /run/udev/data/+pci:* r, + /run/udev/data/+usb* r, + + /sys/bus/ r, + /sys/bus/usb/devices/ r, + /sys/class/ r, + /sys/class/drm/ r, + /sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r, + /sys/devices/system/node/ r, + /sys/devices/system/node/*/meminfo r, + + owner /tmp/orcexec.* mrw, + owner /{,var/}run/user/[0-9]*/orcexec.* mrw, + # needed if /tmp is mounted noexec: + owner @{HOME}/orcexec.* mr, + + /usr/lib/frei0r-[0-9]/*.so m, + # /usr/lib/@{multiarch}/dri/** mr, + /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, + /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr, + /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m, + + owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw, + owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw, + owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw, diff --git a/apparmor.d/abstractions/gtk b/apparmor.d/abstractions/gtk new file mode 100644 index 00000000..f27f710d --- /dev/null +++ b/apparmor.d/abstractions/gtk @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + /usr/share/themes/{,**} r, + + /usr/share/gtk-3.0/settings.ini r, + + /etc/gtk-2.0/gtkrc r, + /etc/gtk-3.0/*.conf r, + + /etc/gtk/gtkrc r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + owner @{HOME}/.config/gtkrc r, + owner @{HOME}/.config/gtkrc-2.0 r, + owner @{HOME}/.config/gtk-3.0/ w, + owner @{HOME}/.config/gtk-3.0/settings.ini r, + owner @{HOME}/.config/gtk-3.0/bookmarks r, + owner @{HOME}/.config/gtk-3.0/gtk.css r, + + # for gtk file dialog + owner @{HOME}/.config/gtk-2.0/ w, + owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw, + + # .Xauthority file required for X connections + owner @{HOME}/.Xauthority r, + + # Xsession errors file + owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/abstractions/gvfs-open b/apparmor.d/abstractions/gvfs-open new file mode 100644 index 00000000..2b1237ca --- /dev/null +++ b/apparmor.d/abstractions/gvfs-open @@ -0,0 +1,42 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via gvfs-open helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/gvfs-open directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/gvfs-open rPx -> foo//gvfs-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//gvfs-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } +# ``` + + #include + + # gvfs-open is deprecated, it launches gio open + #include + + # Main executables + + /usr/bin/gvfs-open r, + /{,usr/}bin/dash mr, diff --git a/apparmor.d/abstractions/ibus b/apparmor.d/abstractions/ibus new file mode 100644 index 00000000..a4431b99 --- /dev/null +++ b/apparmor.d/abstractions/ibus @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # abstraction for ibus input methods + owner @{HOME}/.config/ibus/ r, + owner @{HOME}/.config/ibus/bus/ rw, + owner @{HOME}/.config/ibus/bus/* rw, + + # abstract path in ibus < 1.5.22 uses /tmp + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/ibus/dbus-*"), + + # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache) + # This should use this, but due to LP: #1856738 we cannot + #unix (connect, receive, send) + # type=stream + # peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), + unix (connect, receive, send) + type=stream + peer=(addr="@/home/*/.cache/ibus/dbus-*"), diff --git a/apparmor.d/abstractions/kde b/apparmor.d/abstractions/kde new file mode 100644 index 00000000..cad5c7db --- /dev/null +++ b/apparmor.d/abstractions/kde @@ -0,0 +1,77 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +#include +#include +#include +#include +#include +#include + +/etc/qt3/kstylerc r, +/etc/qt3/qt_plugins_3.3rc r, +/etc/qt3/qtrc r, +/etc/kderc r, +/etc/kde3/* r, +/etc/kde4rc r, +/etc/xdg/kdeglobals r, +/etc/xdg/Trolltech.conf r, +/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent() +/usr/share/kubuntu-default-settings/kf5-settings/* r, + +owner @{HOME}/.DCOPserver_* r, +owner @{HOME}/.ICEauthority r, +owner @{HOME}/.fonts.* lrw, +owner @{HOME}/.kde{,4}/share/config/kdeglobals rw, +owner @{HOME}/.kde{,4}/share/config/*.lock rwl, +owner @{HOME}/.qt/** rw, +owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache +owner @{HOME}/.config/Trolltech.conf rwk, +owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget +owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget +owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent() +owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc. +owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so +owner @{HOME}/.config/trashrc r, # Used by KFileWidget + +/usr/share/X11/XKeysymDB r, + +# kde3 +/usr/lib*/kde3/plugins/styles/ r, +/usr/lib*/kde3/plugins/styles/* mr, +/usr/lib*/kde3/lib*so* mr, +/usr/lib/@{multiarch}/kde3/plugins/styles/ r, +/usr/lib/@{multiarch}/kde3/plugins/styles/* mr, +/usr/lib/@{multiarch}/kde3/lib*so* mr, +/usr/lib*/qt3/lib*/lib*so* mr, +/usr/lib*/qt3/plugins/** mr, +/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr, +/usr/lib/@{multiarch}/qt3/plugins/** mr, +/usr/lib*/libqt-mt*so* mr, +/usr/lib*/libqui*so* mr, +/usr/lib/@{multiarch}/libqt-mt*so* mr, +/usr/lib/@{multiarch}/libqui*so* mr, +/usr/share/qt3/lib*/libqt-mt*so* mr, +/usr/share/qt3/lib*/libqui*so* mr, + +# kde4 +/usr/lib*/kde4/plugins/*/*.so mr, +/usr/lib*/kde4/plugins/*/ r, +/usr/lib*/kde4/lib*so* mr, +/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr, +/usr/lib/@{multiarch}/kde4/plugins/*/ r, +/usr/lib/@{multiarch}/kde4/lib*so* mr, +/usr/lib*/qt4/lib*/lib*so* mr, +/usr/lib*/qt4/plugins/** mr, +/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr, +/usr/lib/@{multiarch}/qt4/plugins/** mr, +/usr/share/qt4/** r, diff --git a/apparmor.d/abstractions/kde-globals-write b/apparmor.d/abstractions/kde-globals-write new file mode 100644 index 00000000..8425f3f9 --- /dev/null +++ b/apparmor.d/abstractions/kde-globals-write @@ -0,0 +1,10 @@ +# vim:syntax=apparmor +# Rules for changing KDE settings (for KFileDialog and other). + + # User files + + owner @{HOME}/.config/#[0-9]* rw, + owner @{HOME}/.config/kdeglobals rw, + owner @{HOME}/.config/kdeglobals.?????? rwl -> /home/*/.config/#[0-9]*, + owner @{HOME}/.config/kdeglobals.lock rwk, + diff --git a/apparmor.d/abstractions/kde-icon-cache-write b/apparmor.d/abstractions/kde-icon-cache-write new file mode 100644 index 00000000..d37fb3b8 --- /dev/null +++ b/apparmor.d/abstractions/kde-icon-cache-write @@ -0,0 +1,7 @@ +# vim:syntax=apparmor +# Rules for writing KDE icon cache + + # User files + + owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader + diff --git a/apparmor.d/abstractions/kde-language-write b/apparmor.d/abstractions/kde-language-write new file mode 100644 index 00000000..ee4d03f3 --- /dev/null +++ b/apparmor.d/abstractions/kde-language-write @@ -0,0 +1,12 @@ +# vim:syntax=apparmor +# Rules for changing per-application language settings on KDE. Some KDE +# applications have "Help -> Switch Application Language..." option, that needs +# write access to language settings file. + + # User files + + owner @{HOME}/.config/#[0-9]* rw, + owner @{HOME}/.config/klanguageoverridesrc rw, + owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> /home/*/.config/#[0-9]*, + owner @{HOME}/.config/klanguageoverridesrc.lock rwk, + diff --git a/apparmor.d/abstractions/kde-open5 b/apparmor.d/abstractions/kde-open5 new file mode 100644 index 00000000..f385cf64 --- /dev/null +++ b/apparmor.d/abstractions/kde-open5 @@ -0,0 +1,102 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via kde-open5 helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/kde-open5 directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/kde-open5 rPx -> foo//kde-open5, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//kde-open5 { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # Add if accesibility access is considered as required +# # (for message boxe in case exo-open fails) +# #include +# +# # Add if audio support for message box is +# # considered as required. +# include if exists +# +# # < add additional allowed applications here > +# } +# ``` + + #include # for alert messages + #include + #include + #include + #include + #include + #include + #include + #include # for IceProcessMessages () from libICE.so (called by libQtCore.so) + #include + #include + #include + #include + + # Main executables + + /usr/bin/kde-open5 rix, + /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix, + + # DBus + + dbus + bus=session + interface=org.kde.KLauncher + member=start_service_by_desktop_path + peer=(name=org.kde.klauncher5), + + # Denied system files + + deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109 + + # libpcre2 on openSUSE tries to mmap() shared memory on directory. + # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html + # AppArmor does not allow to distinguish "real" file vs shared memory one, + # so we deny this path to protect from loading exploits from /tmp. + deny /tmp/#[0-9]*[0-9] m, + + # System files + + /dev/tty r, + /etc/xdg/accept-languages.codes r, + /etc/xdg/menus/{,*/} r, + /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box + /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box + /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE + /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so + /usr/share/mime/ r, + /usr/share/mime/generic-icons r, + /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? + /usr/share/sounds/ r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + + # User files + + owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so + owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13 + owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure) + owner @{HOME}/.cache/kio_http/ rw, + diff --git a/apparmor.d/abstractions/kde4 b/apparmor.d/abstractions/kde4 new file mode 100644 index 00000000..6e5e0a54 --- /dev/null +++ b/apparmor.d/abstractions/kde4 @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + /usr/share/kde4/** r, + + /{usr/,}lib/kde4/*.so mr, + /{usr/,}lib/kde4/plugins/*/ r, + /{usr/,}lib/kde4/plugins/*/*.so mr, + + # Create home KDE directory structure + owner @{HOME}/.kde{,4}/ rw, + owner @{HOME}/.kde{,4}/**/ rw, + owner @{HOME}/.config/kde.org/ rw, + owner @{HOME}/.config/kde.org/**/ rw, + + # Common configs + owner @{HOME}/.kde{,4}/share/config/kdeglobals r, + owner @{HOME}/.kde{,4}/share/config/kdebugrc r, + owner @{HOME}/.kde{,4}/share/config/servicetype_profilerc r, + + # Phonon + owner @{HOME}/.config/kde.org/libphonon.conf rk, + + owner @{HOME}/.config/Trolltech.conf rk, + + owner /var/tmp/kdecache-*/ r, + owner /var/tmp/kdecache-*/** r, + owner /var/tmp/kdecache-*/*.kcache rw, diff --git a/apparmor.d/abstractions/kde5-plasma5 b/apparmor.d/abstractions/kde5-plasma5 new file mode 100644 index 00000000..30c4493f --- /dev/null +++ b/apparmor.d/abstractions/kde5-plasma5 @@ -0,0 +1,67 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + #include + + # KDE/Plasma5 themes + #/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr, + #/{usr/,}lib/@{multiarch}/qt5/plugins/styles/breeze.so mr, + #/usr/share/plasma/look-and-feel/** r, + #/usr/share/color-schemes/*.colors r, + + #/usr/share/kservices5/{,**/} r, + #/usr/share/kservices5/*.protocol r, + + #/usr/share/knotifications5/plasma_workspace.notifyrc r, + + # For app config (in order to work the KDE_APP_NAME variable has to be set in profile which + # includes this abstraction) + #owner @{HOME}/.config/#[0-9]*[0-9] rwk, + #owner @{HOME}/.config/@{KDE_APP_NAME}rc* rwlk -> @{HOME}/.config/#[0-9]*[0-9], + #owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw, + #owner /{var/,}run/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9], + + # Common KDE config files + #owner @{HOME}/.config/#[0-9]*[0-9] rw, + #owner @{HOME}/.config/kdeglobals* rwkl -> @{HOME}/.config/#[0-9]*[0-9], + #owner @{HOME}/.config/baloofilerc r, + #owner @{HOME}/.config/dolphinrc r, + #owner @{HOME}/.config/trashrc r, + #owner @{HOME}/.config/knfsshare r, + #owner /**/.directory r, + + # For bookmarks + #/{usr/,}bin/keditbookmarks rPUx, + #owner @{HOME}/.local/share/kfile/ rw, + #owner @{HOME}/.local/share/kfile/#[0-9]*[0-9] rw, + #owner @{HOME}/.local/share/kfile/bookmarks.xml* rwl -> @{HOME}/.local/share/kfile/#[0-9]*[0-9], + + # Common cache files + #owner @{HOME}/.cache/icon-cache.kcache rw, + #owner @{HOME}/.cache/ksycoca5_* r, + + # Think what to do about this #FIXME# + # It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following. + ##include + #signal (send) set=(term, kill) peer=unconfined, + #deny @{sys}/bus/ r, + #deny @{sys}/bus/usb/devices/ r, + #deny @{sys}/class/ r, + #deny /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc. + #deny /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc. + #deny /{var/,}run/udev/data/+usb:* r, # + #/etc/exports r, + #/etc/xdg/menus/ r, + #/usr/share/mime/ r, + #owner @{HOME}/.config/menus/ r, + #owner @{HOME}/.config/menus/applications-merged/ r, diff --git a/apparmor.d/abstractions/kerberosclient b/apparmor.d/abstractions/kerberosclient new file mode 100644 index 00000000..5b79e3d6 --- /dev/null +++ b/apparmor.d/abstractions/kerberosclient @@ -0,0 +1,34 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # files required by kerberos client programs + /usr/lib{,32,64}/krb5/plugins/libkrb5/ r, + /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr, + /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r, + /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr, + + /usr/lib{,32,64}/krb5/plugins/preauth/ r, + /usr/lib{,32,64}/krb5/plugins/preauth/* mr, + /usr/lib/@{multiarch}/krb5/plugins/preauth/ r, + /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr, + + /etc/krb5.keytab rk, + /etc/krb5.conf r, + /etc/krb5.conf.d/ r, + /etc/krb5.conf.d/* r, + + # config files found via strings on libs + /etc/krb.conf r, + /etc/krb.realms r, + /etc/srvtab r, + + # credential caches + /tmp/krb5cc* r, diff --git a/apparmor.d/abstractions/ldapclient b/apparmor.d/abstractions/ldapclient new file mode 100644 index 00000000..0c527282 --- /dev/null +++ b/apparmor.d/abstractions/ldapclient @@ -0,0 +1,24 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2011 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # files required by LDAP clients (e.g. nss_ldap/pam_ldap) + /etc/ldap.conf r, + /etc/ldap.secret r, + /etc/openldap/* r, + /etc/openldap/cacerts/* r, + + # SASL plugins and config + /etc/sasl2/* r, + /usr/lib{,32,64}/sasl2/* r, + + # local LDAP name service daemon + /{,var/}run/nslcd/socket rw, + + #include diff --git a/apparmor.d/abstractions/libpam-systemd b/apparmor.d/abstractions/libpam-systemd new file mode 100644 index 00000000..76ee8693 --- /dev/null +++ b/apparmor.d/abstractions/libpam-systemd @@ -0,0 +1,19 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2016 Simon Deziel +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + + # libpam-systemd notifies systemd-logind about session logins/logouts + dbus send + bus=system + path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession}, diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc new file mode 100644 index 00000000..e556f2a7 --- /dev/null +++ b/apparmor.d/abstractions/libvirt-lxc @@ -0,0 +1,114 @@ + #include + + umount, + + # ignore DENIED message on / remount + deny mount options=(ro, remount) -> /, + + # allow tmpfs mounts everywhere + mount fstype=tmpfs, + + # allow mqueue mounts everywhere + mount fstype=mqueue, + + # allow fuse mounts everywhere + mount fstype=fuse.*, + + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted + mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, + deny @{PROC}/sys/fs/** wklx, + + # allow efivars to be mounted, writing to it will be blocked though + mount fstype=efivarfs -> /sys/firmware/efi/efivars/, + + # block some other dangerous paths + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + + # deny writes in /sys except for /sys/fs/cgroup, also allow + # fusectl, securityfs and debugfs to be mounted there (read-only) + mount fstype=fusectl -> /sys/fs/fuse/connections/, + mount fstype=securityfs -> /sys/kernel/security/, + mount fstype=debugfs -> /sys/kernel/debug/, + mount fstype=proc -> /proc/, + mount fstype=sysfs -> /sys/, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, + + # generated by: lxc-generate-aa-rules.py container-rules.base + deny /proc/sys/[^kn]*{,/**} wklx, + deny /proc/sys/k[^e]*{,/**} wklx, + deny /proc/sys/ke[^r]*{,/**} wklx, + deny /proc/sys/ker[^n]*{,/**} wklx, + deny /proc/sys/kern[^e]*{,/**} wklx, + deny /proc/sys/kerne[^l]*{,/**} wklx, + deny /proc/sys/kernel/[^smhd]*{,/**} wklx, + deny /proc/sys/kernel/d[^o]*{,/**} wklx, + deny /proc/sys/kernel/do[^m]*{,/**} wklx, + deny /proc/sys/kernel/dom[^a]*{,/**} wklx, + deny /proc/sys/kernel/doma[^i]*{,/**} wklx, + deny /proc/sys/kernel/domai[^n]*{,/**} wklx, + deny /proc/sys/kernel/domain[^n]*{,/**} wklx, + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/domainname?*{,/**} wklx, + deny /proc/sys/kernel/h[^o]*{,/**} wklx, + deny /proc/sys/kernel/ho[^s]*{,/**} wklx, + deny /proc/sys/kernel/hos[^t]*{,/**} wklx, + deny /proc/sys/kernel/host[^n]*{,/**} wklx, + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/hostname?*{,/**} wklx, + deny /proc/sys/kernel/m[^s]*{,/**} wklx, + deny /proc/sys/kernel/ms[^g]*{,/**} wklx, + deny /proc/sys/kernel/msg*/** wklx, + deny /proc/sys/kernel/s[^he]*{,/**} wklx, + deny /proc/sys/kernel/se[^m]*{,/**} wklx, + deny /proc/sys/kernel/sem*/** wklx, + deny /proc/sys/kernel/sh[^m]*{,/**} wklx, + deny /proc/sys/kernel/shm*/** wklx, + deny /proc/sys/kernel?*{,/**} wklx, + deny /proc/sys/n[^e]*{,/**} wklx, + deny /proc/sys/ne[^t]*{,/**} wklx, + deny /proc/sys/net?*{,/**} wklx, + deny /sys/[^fdc]*{,/**} wklx, + deny /sys/c[^l]*{,/**} wklx, + deny /sys/cl[^a]*{,/**} wklx, + deny /sys/cla[^s]*{,/**} wklx, + deny /sys/clas[^s]*{,/**} wklx, + deny /sys/class/[^n]*{,/**} wklx, + deny /sys/class/n[^e]*{,/**} wklx, + deny /sys/class/ne[^t]*{,/**} wklx, + deny /sys/class/net?*{,/**} wklx, + deny /sys/class?*{,/**} wklx, + deny /sys/d[^e]*{,/**} wklx, + deny /sys/de[^v]*{,/**} wklx, + deny /sys/dev[^i]*{,/**} wklx, + deny /sys/devi[^c]*{,/**} wklx, + deny /sys/devic[^e]*{,/**} wklx, + deny /sys/device[^s]*{,/**} wklx, + deny /sys/devices/[^v]*{,/**} wklx, + deny /sys/devices/v[^i]*{,/**} wklx, + deny /sys/devices/vi[^r]*{,/**} wklx, + deny /sys/devices/vir[^t]*{,/**} wklx, + deny /sys/devices/virt[^u]*{,/**} wklx, + deny /sys/devices/virtu[^a]*{,/**} wklx, + deny /sys/devices/virtua[^l]*{,/**} wklx, + deny /sys/devices/virtual/[^n]*{,/**} wklx, + deny /sys/devices/virtual/n[^e]*{,/**} wklx, + deny /sys/devices/virtual/ne[^t]*{,/**} wklx, + deny /sys/devices/virtual/net?*{,/**} wklx, + deny /sys/devices/virtual?*{,/**} wklx, + deny /sys/devices?*{,/**} wklx, + deny /sys/f[^s]*{,/**} wklx, + deny /sys/fs/[^c]*{,/**} wklx, + deny /sys/fs/c[^g]*{,/**} wklx, + deny /sys/fs/cg[^r]*{,/**} wklx, + deny /sys/fs/cgr[^o]*{,/**} wklx, + deny /sys/fs/cgro[^u]*{,/**} wklx, + deny /sys/fs/cgrou[^p]*{,/**} wklx, + deny /sys/fs/cgroup?*{,/**} wklx, + deny /sys/fs?*{,/**} wklx, diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu new file mode 100644 index 00000000..2d08d6f7 --- /dev/null +++ b/apparmor.d/abstractions/libvirt-qemu @@ -0,0 +1,236 @@ + #include + #include + #include + + # required for reading disk images + capability dac_override, + capability dac_read_search, + capability chown, + + # needed to drop privileges + capability setgid, + capability setuid, + + network inet stream, + network inet6 stream, + + ptrace (readby, tracedby) peer=libvirtd, + ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, + + signal (receive) peer=libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, + + /dev/kvm rw, + /dev/net/tun rw, + /dev/ptmx rw, + @{PROC}/*/status r, + # When qemu is signaled to terminate, it will read cmdline of signaling + # process for reporting purposes. Allowing read access to a process + # cmdline may leak sensitive information embedded in the cmdline. + @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/devices/**/usb[0-9]*/** r, + # libusb needs udev data about usb devices (~equal to content of lsusb -v) + /run/udev/data/+usb* r, + /run/udev/data/c16[6,7]* r, + /run/udev/data/c18[0,8,9]* r, + + # WARNING: this gives the guest direct access to host hardware and specific + # portions of shared memory. This is required for sound using ALSA with kvm, + # but may constitute a security risk. If your environment does not require + # the use of sound in your VMs, feel free to comment out or prepend 'deny' to + # the rules for files in /dev. + /dev/snd/* rw, + /{dev,run}/shm r, + /{dev,run}/shmpulse-shm* r, + /{dev,run}/shmpulse-shm* rwk, + capability ipc_lock, + # spice + owner /{dev,run}/shm/spice.* rw, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc + /usr/share/AAVMF/** r, + /usr/share/bochs/** r, + /usr/share/edk2-ovmf/** r, + /usr/share/kvm/** r, + /usr/share/misc/sgabios.bin r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/OVMF/** r, + /usr/share/ovmf/** r, + /usr/share/proll/** r, + /usr/share/qemu-efi/** r, + /usr/share/qemu-kvm/** r, + /usr/share/qemu/** r, + /usr/share/seabios/** r, + /usr/share/sgabios/** r, + /usr/share/slof/** r, + /usr/share/vgabios/** r, + + # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt{,-spice,-vnc}/ r, + /etc/pki/libvirt{,-spice,-vnc}/** r, + /etc/pki/qemu/ r, + /etc/pki/qemu/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-aarch64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-kvm rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mips64 rmix, + /usr/bin/qemu-mips64el rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-mipsn32 rmix, + /usr/bin/qemu-mipsn32el rmix, + /usr/bin/qemu-or32 rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-ppc64le rmix, + /usr/bin/qemu-s390x rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-system-aarch64 rmix, + /usr/bin/qemu-system-alpha rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-hppa rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-lm32 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-microblaze rmix, + /usr/bin/qemu-system-microblazeel rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-moxie rmix, + /usr/bin/qemu-system-nios2 rmix, + /usr/bin/qemu-system-or1k rmix, + /usr/bin/qemu-system-or32 rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-riscv32 rmix, + /usr/bin/qemu-system-riscv64 rmix, + /usr/bin/qemu-system-s390x rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-tricore rmix, + /usr/bin/qemu-system-unicore32 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-system-xtensa rmix, + /usr/bin/qemu-system-xtensaeb rmix, + /usr/bin/qemu-unicore32 rmix, + /usr/bin/qemu-x86_64 rmix, + # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) + /usr/{lib,lib64}/qemu/*.so mr, + /usr/lib/@{multiarch}/qemu/*.so mr, + + # swtpm + /{usr/,}bin/swtpm rmix, + /usr/{lib,lib64}/libswtpm_libtpms.so mr, + /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, + + # for save and resume + /{usr/,}bin/dash rmix, + /{usr/,}bin/dd rmix, + /{usr/,}bin/cat rmix, + + # for restore + /{usr/,}bin/bash rmix, + + # for usb access + /dev/bus/usb/ r, + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, + + # for rbd + /etc/ceph/ceph.conf r, + + # Various functions will need to enumerate /tmp (e.g. ceph), allow the base + # dir and a few known functions like samba support. + # We want to avoid to give blanket rw permission to everything under /tmp, + # users are expected to add site specific addons for more uncommon cases. + # Qemu processes usually all run as the same users, so the "owner" + # restriction prevents access to other services files, but not across + # different instances. + # This is a tradeoff between usability and security - if paths would be more + # predictable that would be preferred - at least for write rules we would + # want more unique paths per rule. + /{,var/}tmp/ r, + owner /{,var/}tmp/**/ r, + + # for file-posix getting limits since 9103f1ce + /sys/devices/**/block/*/queue/max_segments r, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r, + + # allow connect with openGraphicsFD to work + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, + /sys/devices/system/node/node[0-9]*/meminfo r, + /sys/module/vhost/parameters/max_mem_regions r, + + # silence refusals to open lttng files (see LP: #1432644) + deny /dev/shm/lttng-ust-wait-* r, + deny /run/shm/lttng-ust-wait-* r, + + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, + + # required by libpmem init to fts_open()/fts_read() the symlinks in + # /sys/bus/nd/devices + / r, # harmless on any lsb compliant system + /sys/bus/nd/devices/{,**/} r, diff --git a/apparmor.d/abstractions/lightdm b/apparmor.d/abstractions/lightdm new file mode 100644 index 00000000..1e64fd25 --- /dev/null +++ b/apparmor.d/abstractions/lightdm @@ -0,0 +1,114 @@ +# vim:syntax=apparmor +# Profile for restricting lightdm guest session +# Author: Martin Pitt + +# This abstraction provides the majority of the confinement for guest sessions. +# It is in its own abstraction so we can have a centralized place for +# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure, +# etc). Note that this profile intentionally omits chromium-browser. + +# Requires apparmor 2.9 + + #include + #include + #include + #include + #include + #include + #include + + # bug in compiz https://launchpad.net/bugs/697678 + /etc/compizconfig/config rw, + /etc/compizconfig/unity.ini rw, + + / r, + /bin/ rmix, + /bin/fusermount Px, + /bin/** rmix, + /cdrom/ rmix, + /cdrom/** rmix, + /dev/ r, + /dev/** rmw, # audio devices etc. + owner /dev/shm/** rmw, + /etc/ r, + /etc/** rmk, + /etc/X11/Xsession ix, + /etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper + /etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper + /lib/ r, + /lib/** rmixk, + /lib32/ r, + /lib32/** rmixk, + /lib64/ r, + /lib64/** rmixk, + owner /{,run/}media/ r, + owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like + /opt/ r, + /opt/** rmixk, + @{PROC}/ r, + @{PROC}/* rm, + @{PROC}/[0-9]*/net/ r, + @{PROC}/[0-9]*/net/dev r, + @{PROC}/asound rm, + @{PROC}/asound/** rm, + @{PROC}/ati rm, + @{PROC}/ati/** rm, + @{PROC}/sys/vm/overcommit_memory r, + owner @{PROC}/** rm, + # needed for gnome-keyring-daemon + @{PROC}/*/status r, + # needed for bamfdaemon and utilities such as ps and killall + @{PROC}/*/stat r, + /sbin/ r, + /sbin/** rmixk, + /sys/ r, + /sys/** rm, + # needed for confined trusted helpers, such as dbus-daemon + /sys/kernel/security/apparmor/.access rw, + /tmp/ rw, + owner /tmp/** rwlkmix, + /usr/ r, + /usr/** rmixk, + /var/ r, + /var/** rmixk, + /var/guest-data/** rw, # allow to store files permanently + /var/tmp/ rw, + owner /var/tmp/** rwlkm, + /{,var/}run/ r, + # necessary for writing to sockets, etc. + /{,var/}run/** rmkix, + /{,var/}run/mir_socket rw, + /{,var/}run/screen/** wl, + /{,var/}run/shm/** wl, + /{,var/}run/uuidd/request w, + # libpam-xdg-support/logind + owner /{,var/}run/user/*/** rw, + + capability ipc_lock, + + # allow processes in the guest session to signal and ptrace each other + signal peer=@{profile_name}, + ptrace peer=@{profile_name}, + # needed when logging out of the guest session + signal (receive) peer=unconfined, + + unix peer=(label=@{profile_name}), + unix (receive) peer=(label=unconfined), + unix (create), + unix (getattr, getopt, setopt, shutdown), + unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**", + unix (bind, listen) type=stream addr="@/tmp/dbus-*", + unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", + unix (bind, listen) type=stream addr="@guest*", + unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"), + unix (connect, receive, send) type=stream peer=(addr="@guest*"), + + # silence warnings for stuff that we really don't want to grant + deny capability dac_override, + deny capability dac_read_search, + #deny /etc/** w, # re-enable once LP#697678 is fixed + deny /usr/** w, + deny /var/crash/ w, diff --git a/apparmor.d/abstractions/lightdm_chromium-browser b/apparmor.d/abstractions/lightdm_chromium-browser new file mode 100644 index 00000000..c8d6e6e6 --- /dev/null +++ b/apparmor.d/abstractions/lightdm_chromium-browser @@ -0,0 +1,76 @@ +# vim:syntax=apparmor +# Profile abstraction for restricting chromium in the lightdm guest session +# Author: Jamie Strandboge + +# The abstraction provides the additional accesses required to launch +# chromium based browsers from within an lightdm session. Because AppArmor +# cannot yet merge profiles and because we want to utilize the access rules +# provided in abstractions/lightdm, this abstraction must be separate from +# abstractions/lightdm. + +# Requires apparmor 2.9 + + /usr/lib/chromium/chromium Cx -> chromium, + /usr/lib/chromium-browser/chromium-browser Cx -> chromium, + /usr/bin/webapp-container Cx -> chromium, + /usr/bin/webbrowser-app Cx -> chromium, + /usr/bin/ubuntu-html5-app-launcher Cx -> chromium, + /opt/google/chrome-stable/google-chrome-stable Cx -> chromium, + /opt/google/chrome-beta/google-chrome-beta Cx -> chromium, + /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium, + /opt/google/chrome/google-chrome Cx -> chromium, + + # Allow ptracing processes in the chromium child profile + ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium, + + # Allow receiving and sending signals to processes in the chromium child profile + signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium, + + # Allow communications with chromium child profile via unix sockets + unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium), + + profile chromium { + # Allow all the same accesses as other applications in the guest session + #include + + # but also allow a few things because of chromium-browser's sandboxing that + # are not appropriate to other guest session applications. + owner @{PROC}/[0-9]*/oom_{,score_}adj w, + @{PROC}/sys/kernel/shmmax r, + capability sys_admin, # for sandbox to change namespaces + capability sys_chroot, # fod sandbox to chroot to a safe directory + capability setgid, # for sandbox to drop privileges + capability setuid, # for sandbox to drop privileges + capability sys_ptrace, # chromium needs this to keep track of itself + @{PROC}/sys/kernel/yama/ptrace_scope r, + + # Allow ptrace reads of processes in the lightdm-guest-session + ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session, + # Allow other guest session processes to read and trace us + ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session, + ptrace (readby, tracedby) peer=@{profile_name}, + + # Allow us to receive and send signals from processes in the + # lightdm-guest-session + signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session, + + # Allow us to receive and send on unix sockets from processes in the + # lightdm-guest-session + unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session), + + @{PROC}/[0-9]*/ r, # sandbox wants these + @{PROC}/[0-9]*/fd/ r, # sandbox wants these + @{PROC}/[0-9]*/statm r, # sandbox wants these + @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these + + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/uid_map w, + owner @{PROC}/@{pid}/gid_map w, + + /selinux/ r, + + /usr/lib/chromium/chrome-sandbox ix, + /usr/lib/chromium-browser/chromium-browser-sandbox ix, + /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix, + /opt/google/chrome-*/chrome-sandbox ix, + } diff --git a/apparmor.d/abstractions/likewise b/apparmor.d/abstractions/likewise new file mode 100644 index 00000000..7482842a --- /dev/null +++ b/apparmor.d/abstractions/likewise @@ -0,0 +1,13 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /tmp/.lwidentity/pipe rw, + /var/lib/likewise-open/lwidentity_privileged/pipe rw, diff --git a/apparmor.d/abstractions/lxc/container-base b/apparmor.d/abstractions/lxc/container-base new file mode 100644 index 00000000..a242aa42 --- /dev/null +++ b/apparmor.d/abstractions/lxc/container-base @@ -0,0 +1,225 @@ + network, + capability, + file, + umount, + + # dbus, signal, ptrace and unix are only supported by recent apparmor + # versions. Comment them if the apparmor parser doesn't recognize them. + + # This also needs additional rules to reach outside of the container via + # DBus, so just let all of DBus within the container. + dbus, + + # Allow us to receive signals from anywhere. Note: if per-container profiles + # are supported, for container isolation this should be changed to something + # like: + # signal (receive) peer=unconfined, + # signal (receive) peer=/usr/bin/lxc-start, + signal (receive), + + # Allow us to send signals to ourselves + signal peer=@{profile_name}, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace (readby) ... + ptrace (readby), + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace (tracedby) ... + ptrace (tracedby), + + # Allow us to ptrace ourselves + ptrace peer=@{profile_name}, + + # Allow receive via unix sockets from anywhere. Note: if per-container + # profiles are supported, for container isolation this should be changed to + # something like: + # unix (receive) peer=(label=unconfined), + unix (receive), + + # Allow all unix in the container + unix peer=(label=@{profile_name}), + + # ignore DENIED message on / remount + deny mount options=(ro, remount) -> /, + deny mount options=(ro, remount, silent) -> /, + + # allow tmpfs mounts everywhere + mount fstype=tmpfs, + + # allow hugetlbfs mounts everywhere + mount fstype=hugetlbfs, + + # allow mqueue mounts everywhere + mount fstype=mqueue, + + # allow fuse mounts everywhere + mount fstype=fuse, + mount fstype=fuse.*, + + # deny access under /proc/bus to avoid e.g. messing with pci devices directly + deny @{PROC}/bus/** wklx, + + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted + mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, + deny @{PROC}/sys/fs/** wklx, + + # allow efivars to be mounted, writing to it will be blocked though + mount fstype=efivarfs -> /sys/firmware/efi/efivars/, + + # block some other dangerous paths + deny @{PROC}/kcore rwklx, + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/acpi/** rwklx, + + # deny writes in /sys except for /sys/fs/cgroup, also allow + # fusectl, securityfs and debugfs to be mounted there (read-only) + mount fstype=fusectl -> /sys/fs/fuse/connections/, + mount fstype=securityfs -> /sys/kernel/security/, + mount fstype=debugfs -> /sys/kernel/debug/, + deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, + mount fstype=proc -> /proc/, + mount fstype=sysfs -> /sys/, + mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, + mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, + + # deny reads from debugfs + deny /sys/kernel/debug/{,**} rwklx, + + # allow paths to be made slave, shared, private or unbindable + # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. +# mount options=(rw,make-slave) -> **, +# mount options=(rw,make-rslave) -> **, +# mount options=(rw,make-shared) -> **, +# mount options=(rw,make-rshared) -> **, +# mount options=(rw,make-private) -> **, +# mount options=(rw,make-rprivate) -> **, +# mount options=(rw,make-unbindable) -> **, +# mount options=(rw,make-runbindable) -> **, + + # allow bind-mounts of anything except /proc, /sys and /dev + mount options=(rw,bind) /[^spd]*{,/**}, + mount options=(rw,bind) /d[^e]*{,/**}, + mount options=(rw,bind) /de[^v]*{,/**}, + mount options=(rw,bind) /dev/.[^l]*{,/**}, + mount options=(rw,bind) /dev/.l[^x]*{,/**}, + mount options=(rw,bind) /dev/.lx[^c]*{,/**}, + mount options=(rw,bind) /dev/.lxc?*{,/**}, + mount options=(rw,bind) /dev/[^.]*{,/**}, + mount options=(rw,bind) /dev?*{,/**}, + mount options=(rw,bind) /p[^r]*{,/**}, + mount options=(rw,bind) /pr[^o]*{,/**}, + mount options=(rw,bind) /pro[^c]*{,/**}, + mount options=(rw,bind) /proc?*{,/**}, + mount options=(rw,bind) /s[^y]*{,/**}, + mount options=(rw,bind) /sy[^s]*{,/**}, + mount options=(rw,bind) /sys?*{,/**}, + + # allow various ro-bind-*re*-mounts + mount options=(ro,remount,bind), + mount options=(ro,remount,bind,nosuid), + mount options=(ro,remount,bind,noexec), + mount options=(ro,remount,bind,nodev), + mount options=(ro,remount,bind,nosuid,noexec), + mount options=(ro,remount,bind,noexec,nodev), + mount options=(ro,remount,bind,nodev,nosuid), + mount options=(ro,remount,bind,nosuid,noexec,nodev), + + # allow moving mounts except for /proc, /sys and /dev + mount options=(rw,move) /[^spd]*{,/**}, + mount options=(rw,move) /d[^e]*{,/**}, + mount options=(rw,move) /de[^v]*{,/**}, + mount options=(rw,move) /dev/.[^l]*{,/**}, + mount options=(rw,move) /dev/.l[^x]*{,/**}, + mount options=(rw,move) /dev/.lx[^c]*{,/**}, + mount options=(rw,move) /dev/.lxc?*{,/**}, + mount options=(rw,move) /dev/[^.]*{,/**}, + mount options=(rw,move) /dev?*{,/**}, + mount options=(rw,move) /p[^r]*{,/**}, + mount options=(rw,move) /pr[^o]*{,/**}, + mount options=(rw,move) /pro[^c]*{,/**}, + mount options=(rw,move) /proc?*{,/**}, + mount options=(rw,move) /s[^y]*{,/**}, + mount options=(rw,move) /sy[^s]*{,/**}, + mount options=(rw,move) /sys?*{,/**}, + # generated by: lxc-generate-aa-rules.py container-rules.base + deny /proc/sys/[^kn]*{,/**} wklx, + deny /proc/sys/k[^e]*{,/**} wklx, + deny /proc/sys/ke[^r]*{,/**} wklx, + deny /proc/sys/ker[^n]*{,/**} wklx, + deny /proc/sys/kern[^e]*{,/**} wklx, + deny /proc/sys/kerne[^l]*{,/**} wklx, + deny /proc/sys/kernel/[^smhd]*{,/**} wklx, + deny /proc/sys/kernel/d[^o]*{,/**} wklx, + deny /proc/sys/kernel/do[^m]*{,/**} wklx, + deny /proc/sys/kernel/dom[^a]*{,/**} wklx, + deny /proc/sys/kernel/doma[^i]*{,/**} wklx, + deny /proc/sys/kernel/domai[^n]*{,/**} wklx, + deny /proc/sys/kernel/domain[^n]*{,/**} wklx, + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/domainname?*{,/**} wklx, + deny /proc/sys/kernel/h[^o]*{,/**} wklx, + deny /proc/sys/kernel/ho[^s]*{,/**} wklx, + deny /proc/sys/kernel/hos[^t]*{,/**} wklx, + deny /proc/sys/kernel/host[^n]*{,/**} wklx, + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/hostname?*{,/**} wklx, + deny /proc/sys/kernel/m[^s]*{,/**} wklx, + deny /proc/sys/kernel/ms[^g]*{,/**} wklx, + deny /proc/sys/kernel/msg*/** wklx, + deny /proc/sys/kernel/s[^he]*{,/**} wklx, + deny /proc/sys/kernel/se[^m]*{,/**} wklx, + deny /proc/sys/kernel/sem*/** wklx, + deny /proc/sys/kernel/sh[^m]*{,/**} wklx, + deny /proc/sys/kernel/shm*/** wklx, + deny /proc/sys/kernel?*{,/**} wklx, + deny /proc/sys/n[^e]*{,/**} wklx, + deny /proc/sys/ne[^t]*{,/**} wklx, + deny /proc/sys/net?*{,/**} wklx, + deny /sys/[^fdc]*{,/**} wklx, + deny /sys/c[^l]*{,/**} wklx, + deny /sys/cl[^a]*{,/**} wklx, + deny /sys/cla[^s]*{,/**} wklx, + deny /sys/clas[^s]*{,/**} wklx, + deny /sys/class/[^n]*{,/**} wklx, + deny /sys/class/n[^e]*{,/**} wklx, + deny /sys/class/ne[^t]*{,/**} wklx, + deny /sys/class/net?*{,/**} wklx, + deny /sys/class?*{,/**} wklx, + deny /sys/d[^e]*{,/**} wklx, + deny /sys/de[^v]*{,/**} wklx, + deny /sys/dev[^i]*{,/**} wklx, + deny /sys/devi[^c]*{,/**} wklx, + deny /sys/devic[^e]*{,/**} wklx, + deny /sys/device[^s]*{,/**} wklx, + deny /sys/devices/[^v]*{,/**} wklx, + deny /sys/devices/v[^i]*{,/**} wklx, + deny /sys/devices/vi[^r]*{,/**} wklx, + deny /sys/devices/vir[^t]*{,/**} wklx, + deny /sys/devices/virt[^u]*{,/**} wklx, + deny /sys/devices/virtu[^a]*{,/**} wklx, + deny /sys/devices/virtua[^l]*{,/**} wklx, + deny /sys/devices/virtual/[^n]*{,/**} wklx, + deny /sys/devices/virtual/n[^e]*{,/**} wklx, + deny /sys/devices/virtual/ne[^t]*{,/**} wklx, + deny /sys/devices/virtual/net?*{,/**} wklx, + deny /sys/devices/virtual?*{,/**} wklx, + deny /sys/devices?*{,/**} wklx, + deny /sys/f[^s]*{,/**} wklx, + deny /sys/fs/[^c]*{,/**} wklx, + deny /sys/fs/c[^g]*{,/**} wklx, + deny /sys/fs/cg[^r]*{,/**} wklx, + deny /sys/fs/cgr[^o]*{,/**} wklx, + deny /sys/fs/cgro[^u]*{,/**} wklx, + deny /sys/fs/cgrou[^p]*{,/**} wklx, + deny /sys/fs/cgroup?*{,/**} wklx, + deny /sys/fs?*{,/**} wklx, diff --git a/apparmor.d/abstractions/lxc/start-container b/apparmor.d/abstractions/lxc/start-container new file mode 100644 index 00000000..9b9bdd43 --- /dev/null +++ b/apparmor.d/abstractions/lxc/start-container @@ -0,0 +1,50 @@ + network, + capability, + file, + + # The following 3 entries are only supported by recent apparmor versions. + # Comment them if the apparmor parser doesn't recognize them. + dbus, + signal, + ptrace, + + # currently blocked by apparmor bug + mount -> /usr/lib*/*/lxc/{**,}, + mount -> /usr/lib*/lxc/{**,}, + mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, + mount fstype=devpts -> /dev/pts/, + mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, + mount options=bind /dev/pts/** -> /dev/**, + mount options=(rw, make-slave) -> **, + mount options=(rw, make-rslave) -> **, + mount fstype=debugfs, + # allow pre-mount hooks to stage mounts under /var/lib/lxc// + mount -> /var/lib/lxc/{**,}, + + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, + mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, + + # required for some pre-mount hooks + mount fstype=overlayfs, + mount fstype=aufs, + mount fstype=ecryptfs, + + # all umounts are under the original root's /mnt, but right now we + # can't allow those umounts after pivot_root. So allow all umounts + # right now. They'll be restricted for the container at least. + umount, + #umount /mnt/{**,}, + + # This may look a bit redundant, however it appears we need all of + # them if we want things to work properly on all combinations of kernel + # and userspace parser... + pivot_root /usr/lib*/lxc/, + pivot_root /usr/lib*/*/lxc/, + pivot_root /usr/lib*/lxc/**, + pivot_root /usr/lib*/*/lxc/**, + pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, + + change_profile -> lxc-*, + change_profile -> lxc-**, + change_profile -> unconfined, + change_profile -> :lxc-*:unconfined, diff --git a/apparmor.d/abstractions/mdns b/apparmor.d/abstractions/mdns new file mode 100644 index 00000000..e05ef3a4 --- /dev/null +++ b/apparmor.d/abstractions/mdns @@ -0,0 +1,13 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # mdnsd + /etc/nss_mdns.conf r, + /{,var/}run/mdnsd w, diff --git a/apparmor.d/abstractions/mesa b/apparmor.d/abstractions/mesa new file mode 100644 index 00000000..be699c77 --- /dev/null +++ b/apparmor.d/abstractions/mesa @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# Rules for Mesa implementation of the OpenGL API + + # System files + /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() + + # Needed to check if the kernel supports the i915 perf interface + # (src/intel/perf/gen_perf.c, load_oa_metrics()) + @{PROC}/sys/dev/i915/perf_stream_paranoid r, + + # User files + owner @{HOME}/.cache/ w, # if user clears all caches + owner @{HOME}/.cache/mesa_shader_cache/ w, + owner @{HOME}/.cache/mesa_shader_cache/index rw, + owner @{HOME}/.cache/mesa_shader_cache/??/ w, + owner @{HOME}/.cache/mesa_shader_cache/??/* rwk, + diff --git a/apparmor.d/abstractions/mesa-cache-write b/apparmor.d/abstractions/mesa-cache-write new file mode 100644 index 00000000..80f8850a --- /dev/null +++ b/apparmor.d/abstractions/mesa-cache-write @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + # System files + /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() + + # Mesa cache (since mesa v18.1.1) + owner @{HOME}/.cache/mesa_shader_cache/ rw, + owner @{HOME}/.cache/mesa_shader_cache/index rw, + owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, + owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, + owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, + + # If the dir in @{HOME}/.cache is not writable, it uses a dir in /tmp/ + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw, + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw, + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, + + diff --git a/apparmor.d/abstractions/mir b/apparmor.d/abstractions/mir new file mode 100644 index 00000000..16c57ec3 --- /dev/null +++ b/apparmor.d/abstractions/mir @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # mir libraries sometimes do not have a lib prefix + # see LP: #1422521 + /usr/lib/@{multiarch}/mir/*.so* mr, + /usr/lib/@{multiarch}/mir/**/*.so* mr, + + # unprivileged mir socket for clients diff --git a/apparmor.d/abstractions/mozc b/apparmor.d/abstractions/mozc new file mode 100644 index 00000000..f736bc26 --- /dev/null +++ b/apparmor.d/abstractions/mozc @@ -0,0 +1,12 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"), diff --git a/apparmor.d/abstractions/mysql b/apparmor.d/abstractions/mysql new file mode 100644 index 00000000..fed759bb --- /dev/null +++ b/apparmor.d/abstractions/mysql @@ -0,0 +1,15 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /var/lib/mysql{,d}/mysql{,d}.sock rw, + /{var/,}run/mysql{,d}/mysql{,d}.sock rw, + /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r, + /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r, diff --git a/apparmor.d/abstractions/nameservice b/apparmor.d/abstractions/nameservice new file mode 100644 index 00000000..cf34167e --- /dev/null +++ b/apparmor.d/abstractions/nameservice @@ -0,0 +1,106 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # Many programs wish to perform nameservice-like operations, such as + # looking up users by name or id, groups by name or id, hosts by name + # or IP, etc. These operations may be performed through files, dns, + # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. + /etc/group r, + /etc/host.conf r, + /etc/hosts r, + /etc/nsswitch.conf r, + /etc/gai.conf r, + /etc/passwd r, + /etc/protocols r, + + # libtirpc (used for NIS/YP login) needs this + /etc/netconfig r, + + # When using libnss-extrausers, the passwd and group files are merged from + # an alternate path + /var/lib/extrausers/group r, + /var/lib/extrausers/passwd r, + + # NSS records from systemd-userdbd.service + /{,var/}run/systemd/userdb/ r, + /{,var/}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, + @{PROC}/sys/kernel/random/boot_id r, + + # When using sssd, the passwd and group files are stored in an alternate path + # and the nss plugin also needs to talk to a pipe + /var/lib/sss/mc/group r, + /var/lib/sss/mc/initgroups r, + /var/lib/sss/mc/passwd r, + /var/lib/sss/pipes/nss rw, + + /etc/resolv.conf r, + # On systems where /etc/resolv.conf is managed programmatically, it is + # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf. + /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r, + /etc/resolvconf/run/resolv.conf r, + /{,var/}run/systemd/resolve/stub-resolv.conf r, + + /etc/samba/lmhosts r, + /etc/services r, + # db backend + /var/lib/misc/*.db r, + # The Name Service Cache Daemon can cache lookups, sometimes leading + # to vast speed increases when working with network-based lookups. + /{,var/}run/.nscd_socket rw, + /{,var/}run/nscd/socket rw, + /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r, + # nscd renames and unlinks files in it's operation that clients will + # have open + /{,var/}run/nscd/db* rmix, + + # The nss libraries are sometimes used in addition to PAM; make sure + # they are available + /{usr/,}lib{,32,64}/libnss_*.so* mr, + /{usr/,}lib/@{multiarch}/libnss_*.so* mr, + /etc/default/nss r, + + # avahi-daemon is used for mdns4 resolution + /{,var/}run/avahi-daemon/socket rw, + + # libnl-3-200 via libnss-gw-name + @{PROC}/@{pid}/net/psched r, + /etc/libnl-*/classid r, + + # nis + #include + + # ldap + #include + + # winbind + #include + + # likewise + #include + + # mdnsd + #include + + # kerberos + #include + + # TCP/UDP network access + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + + # TODO: adjust when support finer-grained netlink rules + # Netlink raw needed for nscd + network netlink raw, + + # interface details + @{PROC}/@{pid}/net/route r, diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict new file mode 100644 index 00000000..33325717 --- /dev/null +++ b/apparmor.d/abstractions/nameservice-strict @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + /etc/hosts r, + /etc/host.conf r, + /etc/resolv.conf r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/gai.conf r, + /etc/group r, + /etc/protocols r, + /etc/default/nss r, + /etc/services r, + + # NSS records from systemd-userdbd.service + /{var,}run/systemd/userdb/ r, + /{var,}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, + @{PROC}/sys/kernel/random/boot_id r, + diff --git a/apparmor.d/abstractions/nis b/apparmor.d/abstractions/nis new file mode 100644 index 00000000..690e6796 --- /dev/null +++ b/apparmor.d/abstractions/nis @@ -0,0 +1,15 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # NIS rules + /var/yp/binding/* r, + # portmapper may ask root processes to do nis/ldap at low ports + capability net_bind_service, + diff --git a/apparmor.d/abstractions/nvidia b/apparmor.d/abstractions/nvidia new file mode 100644 index 00000000..b01ef8b5 --- /dev/null +++ b/apparmor.d/abstractions/nvidia @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# nvidia access requirements + + # configuration queries + capability ipc_lock, + + /usr/share/nvidia/nvidia-application-profiles* r, + + # libvdpau config file for nvidia workarounds + /etc/vdpau_wrapper.cfg r, + + # device files + /dev/nvidiactl rw, + /dev/nvidia-modeset rw, + /dev/nvidia[0-9]* rw, + + @{PROC}/interrupts r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + + @{sys}/devices/system/memory/block_size_bytes r, + + owner @{HOME}/.nv/ w, + owner @{HOME}/.nv/GLCache/ rw, + owner @{HOME}/.nv/GLCache/** rwk, + + unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"), diff --git a/apparmor.d/abstractions/opencl b/apparmor.d/abstractions/opencl new file mode 100644 index 00000000..32a21b2a --- /dev/null +++ b/apparmor.d/abstractions/opencl @@ -0,0 +1,9 @@ +# vim:syntax=apparmor +# OpenCL access requirements + + # TODO: use conditionals to select allowed implementations + #include + #include + #include + #include + diff --git a/apparmor.d/abstractions/opencl-common b/apparmor.d/abstractions/opencl-common new file mode 100644 index 00000000..0ad3d559 --- /dev/null +++ b/apparmor.d/abstractions/opencl-common @@ -0,0 +1,10 @@ +# vim:syntax=apparmor +# implementation-independent OpenCL access requirements + + # System files + + /etc/OpenCL/** r, + @{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so + @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so + @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so + diff --git a/apparmor.d/abstractions/opencl-intel b/apparmor.d/abstractions/opencl-intel new file mode 100644 index 00000000..353eeca2 --- /dev/null +++ b/apparmor.d/abstractions/opencl-intel @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# OpenCL access requirements for Intel implementation + + #include + + # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay()) + #include + + # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so + #include + + # System files + + /dev/dri/card[0-9]* rw, # beignet/libcl.so + @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?) + /usr/lib/@{multiarch}/beignet/** r, + diff --git a/apparmor.d/abstractions/opencl-mesa b/apparmor.d/abstractions/opencl-mesa new file mode 100644 index 00000000..9d7f82b2 --- /dev/null +++ b/apparmor.d/abstractions/opencl-mesa @@ -0,0 +1,20 @@ +# vim:syntax=apparmor +# OpenCL access requirements for Mesa implementation + + #include + + # Additional libraries + + /usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so + /usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE + + # System files + + /dev/dri/ r, # libMesaOpenCL.so -> libdrm.so + /dev/dri/render* rw, # libMesaOpenCL.so + /etc/drirc r, # libMesaOpenCL.so + + # User files + + owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so + diff --git a/apparmor.d/abstractions/opencl-nvidia b/apparmor.d/abstractions/opencl-nvidia new file mode 100644 index 00000000..8a4764ec --- /dev/null +++ b/apparmor.d/abstractions/opencl-nvidia @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# OpenCL access requirements for NVIDIA implementation + + #include + #include + + # Executables + + # https://github.com/NVIDIA/nvidia-modprobe + # This setuid executable is used to create various device files and load the + # the nvidia kernel module. + /usr/bin/nvidia-modprobe Px -> nvidia_modprobe, + + # System files + + # libnvidia-opencl.so rules: + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + @{sys}/devices/pci[0-9]*/**/config r, + @{sys}/devices/system/memory/block_size_bytes r, + /usr/share/nvidia/** r, + @{PROC}/devices r, + @{PROC}/sys/vm/mmap_min_addr r, + + # User files + + owner @{HOME}/.nv/ComputeCache/ w, + owner @{HOME}/.nv/ComputeCache/** rw, + owner @{HOME}/.nv/ComputeCache/index rwk, + diff --git a/apparmor.d/abstractions/opencl-pocl b/apparmor.d/abstractions/opencl-pocl new file mode 100644 index 00000000..054689ab --- /dev/null +++ b/apparmor.d/abstractions/opencl-pocl @@ -0,0 +1,76 @@ +# vim:syntax=apparmor +# OpenCL access requirements for POCL implementation + + #include + + # Executables + + /usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld, + /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang, + + # System files + + / r, # libpocl.so -> libhwloc.so + @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so + @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so + @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so + @{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so + @{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so + @{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so + @{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so + @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so + @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so + @{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so + @{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so + @{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so + @{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so + @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so + @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so + /usr/share/pocl/** r, + /{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so + + # User files + + owner @{HOME}/.cache/pocl/ w, + owner @{HOME}/.cache/pocl/kcache/ w, + owner @{HOME}/.cache/pocl/kcache/** rw, + owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous! + owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so + + # Child profiles + + profile opencl_pocl_ld { + #include + + # Main executables + + /usr/bin/{,@{multiarch}-}ld.bfd mr, + + # User files + + owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw, + owner @{HOME}/.cache/pocl/kcache/**.so.o r, + } + + profile opencl_pocl_clang { + #include + + # Main executables + + /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr, + + # Additional executables + + /usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile? + + # System files + + /etc/debian-version r, + /etc/lsb-release r, + + # User files + + owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw, + } + diff --git a/apparmor.d/abstractions/openssl b/apparmor.d/abstractions/openssl new file mode 100644 index 00000000..697da7ae --- /dev/null +++ b/apparmor.d/abstractions/openssl @@ -0,0 +1,14 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2011 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /etc/ssl/openssl.cnf r, + /usr/share/ssl/openssl.cnf r, + @{PROC}/sys/crypto/fips_enabled r, + diff --git a/apparmor.d/abstractions/orbit2 b/apparmor.d/abstractions/orbit2 new file mode 100644 index 00000000..b8df9df6 --- /dev/null +++ b/apparmor.d/abstractions/orbit2 @@ -0,0 +1,5 @@ +# vim:syntax=apparmor +# orbit2 permissions + + # system library + /usr/lib/orbit-2.0/*.so mr, diff --git a/apparmor.d/abstractions/p11-kit b/apparmor.d/abstractions/p11-kit new file mode 100644 index 00000000..84b7b11d --- /dev/null +++ b/apparmor.d/abstractions/p11-kit @@ -0,0 +1,27 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /etc/pkcs11/ r, + /etc/pkcs11/pkcs11.conf r, + /etc/pkcs11/modules/ r, + /etc/pkcs11/modules/* r, + + /usr/lib{,32,64}/pkcs11/*.so mr, + /usr/lib/@{multiarch}/pkcs11/*.so mr, + + /usr/share/p11-kit/modules/ r, + /usr/share/p11-kit/modules/* r, + + # gnome-keyring pkcs11 module + owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw, + + # p11-kit also supports reading user configuration from ~/.pkcs11 depending + # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be + # included in this abstraction. diff --git a/apparmor.d/abstractions/perl b/apparmor.d/abstractions/perl new file mode 100644 index 00000000..0e20aeb5 --- /dev/null +++ b/apparmor.d/abstractions/perl @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # a few files typically required for perl scripts + /usr/bin/perl rmix, + /usr/bin/perl[0-9].[0-9].[0-9] rmix, + + /usr/lib{,32,64}/perl5/** r, + /usr/lib{,32,64}/perl{,5}/**.so* mr, + /usr/lib/@{multiarch}/perl{,5,-base}/** r, + /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr, + + /usr/share/perl/** r, + /usr/share/perl5/** r, + /etc/perl/** r, diff --git a/apparmor.d/abstractions/php b/apparmor.d/abstractions/php new file mode 100644 index 00000000..4aba2415 --- /dev/null +++ b/apparmor.d/abstractions/php @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2009-2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # shared snippets for config files + /etc/php{,5,7}/**/ r, + /etc/php{,5,7}/**.ini r, + + # Xlibs + /usr/X11R6/lib{,32,64}/lib*.so* mr, + # php extensions + /usr/lib{64,}/php{,5,7}/*/*.so mr, + + # ICU (unicode support) data tables + /usr/share/icu/*/*.dat r, + + # php session mmap socket + /var/lib/php{,5,7}/session_mm_* rwlk, + # file based session handler + /var/lib/php{,5,7}/sess_* rwlk, + /var/lib/php{,5,7}/sessions/* rwlk, + + # php libraries + /usr/share/php{,5,7}/ r, + /usr/share/php{,5,7}/** mr, + + # MySQL extension + /usr/share/mysql/** r, + + # Zend opcache + /tmp/.ZendSem.* rwlk, diff --git a/apparmor.d/abstractions/php5 b/apparmor.d/abstractions/php5 new file mode 100644 index 00000000..9f5355f9 --- /dev/null +++ b/apparmor.d/abstractions/php5 @@ -0,0 +1,3 @@ +#backwards compatibility include, actual abstraction moved from php5 to php + +#include diff --git a/apparmor.d/abstractions/postfix-common b/apparmor.d/abstractions/postfix-common new file mode 100644 index 00000000..3dc599af --- /dev/null +++ b/apparmor.d/abstractions/postfix-common @@ -0,0 +1,37 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2015 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# used with postfix/* + + + capability setuid, + capability setgid, + capability sys_chroot, + + # postfix's master can send us signals + signal receive peer=/usr/lib/postfix/master, + signal receive peer=postfix-master, + + unix (send, receive) peer=(label=/usr/lib/postfix/master), + unix (send, receive) peer=(label=postfix-master), + + /etc/mailname r, + /etc/postfix/*.cf r, + /etc/postfix/*.db rk, + @{PROC}/net/if_inet6 r, + /usr/lib/postfix/*.so mr, + /usr/lib{,32,64}/sasl2/* mr, + /usr/lib{,32,64}/sasl2/ r, + /usr/lib/@{multiarch}/sasl2/* mr, + /usr/lib/@{multiarch}/sasl2/ r, + + /var/spool/postfix/etc/* r, + /var/spool/postfix/lib/lib*.so* mr, + /var/spool/postfix/lib/@{multiarch}/lib*.so* mr, diff --git a/apparmor.d/abstractions/private-files b/apparmor.d/abstractions/private-files new file mode 100644 index 00000000..09f6d9bd --- /dev/null +++ b/apparmor.d/abstractions/private-files @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# privacy-violations contains rules for common files that you want to +# explicitly deny access + + # privacy violations (don't audit files under $HOME otherwise get a + # lot of false positives when reading contents of directories) + deny @{HOME}/.*history mrwkl, + deny @{HOME}/.fetchmail* mrwkl, + deny @{HOME}/.mutt** mrwkl, + deny @{HOME}/.viminfo* mrwkl, + deny @{HOME}/.*~ mrwkl, + deny @{HOME}/.*.swp mrwkl, + deny @{HOME}/.*~1~ mrwkl, + deny @{HOME}/.*.bak mrwkl, + + # special attention to (potentially) executable files + audit deny @{HOME}/bin/{,**} wl, + audit deny @{HOME}/.config/ w, + audit deny @{HOME}/.config/autostart/{,**} wl, + audit deny @{HOME}/.config/upstart/{,**} wl, + audit deny @{HOME}/.init/{,**} wl, + audit deny @{HOME}/.kde{,4}/ w, + audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl, + audit deny @{HOME}/.kde{,4}/env/{,**} wl, + audit deny @{HOME}/.local/{,share/} w, + audit deny @{HOME}/.local/share/thumbnailers/{,**} wl, + audit deny @{HOME}/.pki/ w, + audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl, + + # don't allow reading/updating of run control files + deny @{HOME}/.*rc mrk, + audit deny @{HOME}/.*rc wl, + + # bash + deny @{HOME}/.bash* mrk, + audit deny @{HOME}/.bash* wl, + deny @{HOME}/.inputrc mrk, + audit deny @{HOME}/.inputrc wl, + + # sh/dash/csh/tcsh/pdksh/zsh + deny @{HOME}/.{,z}profile* mrk, + audit deny @{HOME}/.{,z}profile* wl, + deny @{HOME}/.{,z}log{in,out} mrk, + audit deny @{HOME}/.{,z}log{in,out} wl, + + deny @{HOME}/.zshenv mrk, + audit deny @{HOME}/.zshenv wl, diff --git a/apparmor.d/abstractions/private-files-strict b/apparmor.d/abstractions/private-files-strict new file mode 100644 index 00000000..31934318 --- /dev/null +++ b/apparmor.d/abstractions/private-files-strict @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# privacy-violations-strict contains additional rules for sensitive +# files that you want to explicitly deny access + + #include + + # potentially extremely sensitive files + audit deny @{HOME}/.aws/{,**} mrwkl, + audit deny @{HOME}/.gnupg/{,**} mrwkl, + audit deny @{HOME}/.ssh/{,**} mrwkl, + audit deny @{HOME}/.gnome2_private/{,**} mrwkl, + audit deny @{HOME}/.gnome2/ w, + audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, + # don't allow access to any gnome-keyring modules + audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl, + audit deny @{HOME}/.mozilla/{,**} mrwkl, + audit deny @{HOME}/.config/ w, + audit deny @{HOME}/.config/chromium/{,**} mrwkl, + audit deny @{HOME}/.config/evolution/{,**} mrwkl, + audit deny @{HOME}/.evolution/{,**} mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl, + audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, + audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl, + audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, + diff --git a/apparmor.d/abstractions/python b/apparmor.d/abstractions/python new file mode 100644 index 00000000..6c81af84 --- /dev/null +++ b/apparmor.d/abstractions/python @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr, + /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r, + /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r, + /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr, + + /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr, + /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r, + /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r, + /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r, + /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr, + + # Site-wide configuration + /etc/python{2.[4-7],3.[0-9]}/** r, + + # shared python paths + /usr/share/{pyshared,pycentral,python-support}/** r, + /{var,usr}/lib/{pyshared,pycentral,python-support}/** r, + /usr/lib/{pyshared,pycentral,python-support}/**.so mr, + /var/lib/{pyshared,pycentral,python-support}/**.pyc mr, + /usr/lib/python3/dist-packages/**.so mr, + + # wx paths + /usr/lib/wx/python/*.pth r, + + # python build configuration and headers + /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r, + + # Silencer + deny /usr/lib{,32,64}/python*/** w, diff --git a/apparmor.d/abstractions/qt5 b/apparmor.d/abstractions/qt5 new file mode 100644 index 00000000..66a574bf --- /dev/null +++ b/apparmor.d/abstractions/qt5 @@ -0,0 +1,22 @@ +# vim:syntax=apparmor +# Common rules for Qt5-based applications + + # Additional libraries + + /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr, + /usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr, + /usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules + + # System files + + /etc/xdg/QtProject/qtlogging.ini r, + /usr/share/qt5/translations/*.qm r, + /usr/lib{,64,/@{multiarch}}/qt5/plugins/** r, + /usr/lib{,64,/@{multiarch}}/qt5/qml/** r, + + # User files + + owner @{HOME}/.config/QtProject/qtlogging.ini r, + owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access) + owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins + diff --git a/apparmor.d/abstractions/qt5-compose-cache-write b/apparmor.d/abstractions/qt5-compose-cache-write new file mode 100644 index 00000000..38cb2348 --- /dev/null +++ b/apparmor.d/abstractions/qt5-compose-cache-write @@ -0,0 +1,8 @@ +# vim:syntax=apparmor +# Allow writing cache for Qt5 "platforminputcontexts" plugins + + # User files + + owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], + owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) + diff --git a/apparmor.d/abstractions/qt5-settings-write b/apparmor.d/abstractions/qt5-settings-write new file mode 100644 index 00000000..07d10972 --- /dev/null +++ b/apparmor.d/abstractions/qt5-settings-write @@ -0,0 +1,11 @@ +# vim:syntax=apparmor +# Allow writing shared settings for Qt-based applications + + # User files + + owner @{HOME}/.config/#[0-9]*[0-9] rw, + owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9], + # for temporary files like QtProject.conf.Aqrgeb + owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], + owner @{HOME}/.config/QtProject.conf.lock rwk, + diff --git a/apparmor.d/abstractions/recent-documents-write b/apparmor.d/abstractions/recent-documents-write new file mode 100644 index 00000000..320ec943 --- /dev/null +++ b/apparmor.d/abstractions/recent-documents-write @@ -0,0 +1,10 @@ +# vim:syntax=apparmor +# Allow updating recent documents + + # User files + + owner @{HOME}/.local/share/RecentDocuments/ rw, + owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw, + owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> /home/*/.local/share/RecentDocuments/#[0-9]*, + owner @{HOME}/.local/share/RecentDocuments/*.lock rwk, + diff --git a/apparmor.d/abstractions/ruby b/apparmor.d/abstractions/ruby new file mode 100644 index 00000000..ff4ac9fa --- /dev/null +++ b/apparmor.d/abstractions/ruby @@ -0,0 +1,21 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r, + /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r, + /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr, + + /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/ r, + /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/**.rb r, + /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/*-linux/**.so mr, + + /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r, + /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r, diff --git a/apparmor.d/abstractions/samba b/apparmor.d/abstractions/samba new file mode 100644 index 00000000..1cab7309 --- /dev/null +++ b/apparmor.d/abstractions/samba @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /etc/samba/* r, + /usr/lib*/ldb/*.so mr, + /usr/lib*/samba/ldb/*.so mr, + /usr/share/samba/*.dat r, + /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, + /var/cache/samba/ w, + /var/cache/samba/lck/* rwk, + /var/lib/samba/** rwk, + /var/log/samba/cores/ rw, + /var/log/samba/cores/** rw, + /var/log/samba/* w, + /{,var/}run/samba/ w, + /{,var/}run/samba/*.tdb rw, + + # required for clustering + /var/lib/ctdb/** rwk, diff --git a/apparmor.d/abstractions/smbpass b/apparmor.d/abstractions/smbpass new file mode 100644 index 00000000..eb4cf26b --- /dev/null +++ b/apparmor.d/abstractions/smbpass @@ -0,0 +1,13 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # libpam-smbpass/pam_smbpass.so permissions + /var/lib/samba/*.[lt]db rwk, diff --git a/apparmor.d/abstractions/ssl_certs b/apparmor.d/abstractions/ssl_certs new file mode 100644 index 00000000..789efc58 --- /dev/null +++ b/apparmor.d/abstractions/ssl_certs @@ -0,0 +1,44 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2010-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /etc/ssl/ r, + /etc/ssl/certs/ r, + /etc/ssl/certs/* r, + /etc/pki/trust/ r, + /etc/pki/trust/* r, + /etc/pki/trust/anchors/ r, + /etc/pki/trust/anchors/** r, + /usr/share/ca-certificates/ r, + /usr/share/ca-certificates/** r, + /usr/share/ssl/certs/ca-bundle.crt r, + /usr/local/share/ca-certificates/ r, + /usr/local/share/ca-certificates/** r, + /var/lib/ca-certificates/ r, + /var/lib/ca-certificates/** r, + + # acmetool + /var/lib/acme/certs/*/chain r, + /var/lib/acme/certs/*/cert r, + + # dehydrated + /{etc,var/lib}/dehydrated/certs/*/cert*.pem r, + /{etc,var/lib}/dehydrated/certs/*/chain*.pem r, + /{etc,var/lib}/dehydrated/certs/*/fullchain*.pem r, + /{etc,var/lib}/dehydrated/certs/*/ocsp*.der r, + + # certbot + /etc/letsencrypt/archive/*/cert*.pem r, + /etc/letsencrypt/archive/*/chain*.pem r, + /etc/letsencrypt/archive/*/fullchain*.pem r, + + /etc/certbot/archive/*/cert*.pem r, + /etc/certbot/archive/*/chain*.pem r, + /etc/certbot/archive/*/fullchain*.pem r, diff --git a/apparmor.d/abstractions/ssl_keys b/apparmor.d/abstractions/ssl_keys new file mode 100644 index 00000000..2de760b5 --- /dev/null +++ b/apparmor.d/abstractions/ssl_keys @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # private ssl permissions + + # Just include the whole /etc/ssl directory if we should have access to + # private keys too + /etc/ssl/ r, + /etc/ssl/** r, + + # acmetool + /var/lib/acme/live/* r, + /var/lib/acme/certs/** r, + /var/lib/acme/keys/** r, + + # dehydrated + /{etc,var/lib}/dehydrated/certs/*/privkey*.pem r, + + # certbot / letsencrypt + /etc/letsencrypt/archive/*/privkey*.pem r, + + /etc/certbot/archive/*/privkey*.pem r, diff --git a/apparmor.d/abstractions/svn-repositories b/apparmor.d/abstractions/svn-repositories new file mode 100644 index 00000000..68ac5e0b --- /dev/null +++ b/apparmor.d/abstractions/svn-repositories @@ -0,0 +1,52 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # This little snippet should abstract the read/write access to a repository. + # it is intended to be included in profiles for svnserve/apache2 and maybe + # some repository viewers like trac/viewvc + + # no hooks exec by default; please define whatever you need explicitely. + + /srv/svn/**/conf/* r, + /srv/svn/**/format r, + /srv/svn/**/db/fs-type r, + /srv/svn/**/db/format r, + + # FSFS + /srv/svn/**/db/ r, + /srv/svn/**/db/uuid r, + /srv/svn/**/db/write-lock rwl, + /srv/svn/**/db/current rwl, + /srv/svn/**/db/current*.tmp rwl, + /srv/svn/**/db/revs/ r, + /srv/svn/**/db/revs/* rw, + /srv/svn/**/db/revprops/ r, + /srv/svn/**/db/revprops/* rw, + /srv/svn/**/db/transactions/** rw, + + # BDB + /srv/svn/**/db/DB_CONFIG r, + /srv/svn/**/db/__db.[0-9]* rwl, + /srv/svn/**/db/log.[0-9]* rwl, + /srv/svn/**/db/nodes rwl, + /srv/svn/**/db/revisions rwl, + /srv/svn/**/db/transactions rwl, + /srv/svn/**/db/copies rwl, + /srv/svn/**/db/changes rwl, + /srv/svn/**/db/representations rwl, + /srv/svn/**/db/strings rwl, + /srv/svn/**/db/uuids rwl, + /srv/svn/**/db/locks rwl, + /srv/svn/**/db/lock-tokens rwl, + + # temp files + /tmp/apr* rwl, + /var/tmp/apr* rwl, + /tmp/report*.tmp rwl, diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common new file mode 100644 index 00000000..34567570 --- /dev/null +++ b/apparmor.d/abstractions/systemd-common @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + ptrace (read), + + owner @{PROC}/@{pid}/stat r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + /dev/kmsg w, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read new file mode 100644 index 00000000..74109b10 --- /dev/null +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -0,0 +1,16 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + owner @{HOME}/.cache/thumbnails/ r, + owner @{HOME}/.cache/thumbnails/{large,normal}/ r, + owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r, diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write new file mode 100644 index 00000000..fdd16f20 --- /dev/null +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + owner @{HOME}/.cache/thumbnails/ rw, + owner @{HOME}/.cache/thumbnails/{large,normal}/ rw, + owner @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9], diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor new file mode 100644 index 00000000..f2fe3c4e --- /dev/null +++ b/apparmor.d/abstractions/tor @@ -0,0 +1,31 @@ +# vim:syntax=apparmor + + #include + #include + #include + + network tcp, + network udp, + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + /usr/bin/tor r, + /usr/sbin/tor r, + + # Needed by obfs4proxy + /proc/sys/net/core/somaxconn r, + + /proc/sys/kernel/random/uuid r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/** r, + + /etc/tor/* r, + /usr/share/tor/** r, + + /usr/bin/obfsproxy PUx, + /usr/bin/obfs4proxy Pix, diff --git a/apparmor.d/abstractions/totem b/apparmor.d/abstractions/totem new file mode 100644 index 00000000..e8b82a83 --- /dev/null +++ b/apparmor.d/abstractions/totem @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# Author: Jamie Strandboge + +# Description: Limit executable access and reasonable read access. A look at +# the gconf schema files for totem-video-thumbnailer reveals at least the +# following files: +# 3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac, +# flc, fli, flic, flv, google-video-pointer, gpp, gsm, m4a, m4v, matroska, +# midi, mod, mp3, mp4, mp4es, mpeg, mpt2, msvideo, ms-wm, musepack,mxf, +# netshow, nsv, off, ogm, pict, pn-realaudio, prs.sid, quicktime, ram, +# realpix, rn, sbc, sdp, shorten, speex, theora, totem-stream, tta, ultravox, +# vivo, vorbis, wav, wavpack, wax, webm, wma, wmv, wmx, wpl, wvx, x-anim, +# x-it, xm +# +# While ideally we would narrow down our read access to the above, this is +# a maintenance problem and doesn't work for files without extensions. + + #include + #include + #include + #include + + # Allow read on all directories + /**/ r, + + # Allow read on removable media and files in /usr/share and /usr/local/share + /usr/local/share/** r, + /usr/share/** r, + /{media,mnt,opt,srv}/** r, + + owner @{HOME}/.cache/mesa/** rwk, + owner @{HOME}/.cache/thumbnails/** rw, + owner @{HOME}/.cache/totem/ rw, + owner @{HOME}/.cache/totem/** rwk, + owner @{HOME}/.cache/totem-* rwk, + owner @{HOME}/.cache/tracker/db-locale.txt r, + owner @{HOME}/.cache/tracker/meta.db{,-shm,-journal,-wal} rwk, + owner @{HOME}/.cache/tracker/ontologies.gvdb r, + owner @{HOME}/.config/totem/ rwk, + owner @{HOME}/.config/totem/** rwk, + owner @{HOME}/.local/share/grilo-plugins/ rwk, + owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, + owner @{HOME}/.local/share/gvfs-metadata/** r, + owner @{HOME}/.local/share/totem/ rwk, + owner @{HOME}/.local/share/tracker/data/tracker-store.journal rwk, + + owner @{PROC}/@{pid}/{mountinfo,status} r, + + /run/udev/data/c* r, + /run/udev/data/+drm:card* r, + /run/udev/data/+usb* r, + + /sys/devices/system/node/*/meminfo r, diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash new file mode 100644 index 00000000..78b42f10 --- /dev/null +++ b/apparmor.d/abstractions/trash @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + owner @{HOME}/.config/trashrc rw, + owner @{HOME}/.config/trashrc.lock rwk, + owner @{HOME}/.config/#[0-9]*[0-9] rwk, + owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + + owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw, + owner /{var/,}run/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9], + + # Home trash location + owner @{HOME}/.local/share/Trash/ rw, + owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw, + owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9], + owner @{HOME}/.local/share/Trash/files/{,**} rw, + owner @{HOME}/.local/share/Trash/info/ rw, + owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw, + + # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir + owner /media/*/.Trash/ rw, + owner /media/*/.Trash/[0-9]*/ rw, + owner /media/*/.Trash/[0-9]*/#[0-9]*[0-9] rw, + owner /media/*/.Trash/[0-9]*/directorysizes{,.*} rwl -> /media/*/.Trash/[0-9]*/#[0-9]*[0-9], + owner /media/*/.Trash/[0-9]*/files/{,**} rw, + owner /media/*/.Trash/[0-9]*/info/ rw, + owner /media/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw, + + # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir + owner /media/*/.Trash-[0-9]*/ rw, + owner /media/*/.Trash-[0-9]*/#[0-9]*[0-9] rw, + owner /media/*/.Trash-[0-9]*/directorysizes{,.*} rwl -> /media/*/.Trash-[0-9]*/#[0-9]*[0-9], + owner /media/*/.Trash-[0-9]*/files/{,**} rw, + owner /media/*/.Trash-[0-9]*/info/ rw, + owner /media/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw, diff --git a/apparmor.d/abstractions/ubuntu-bittorrent-clients b/apparmor.d/abstractions/ubuntu-bittorrent-clients new file mode 100644 index 00000000..fb820c5a --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-bittorrent-clients @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# +# abstraction for allowing graphical bittorrent clients in Ubuntu +# +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + /usr/bin/azureus Cxr -> sanitized_helper, + /usr/bin/bitstormlite Cxr -> sanitized_helper, + /usr/bin/btmaketorrentgui Cxr -> sanitized_helper, + /usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper, + /usr/bin/gnome-btdownload Cxr -> sanitized_helper, + /usr/bin/kget Cxr -> sanitized_helper, + /usr/bin/ktorrent Cxr -> sanitized_helper, + /usr/bin/qbittorrent Cxr -> sanitized_helper, + /usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper, diff --git a/apparmor.d/abstractions/ubuntu-browsers b/apparmor.d/abstractions/ubuntu-browsers new file mode 100644 index 00000000..d4438ad6 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# +# abstraction for allowing access to graphical browsers in Ubuntu +# +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + /usr/bin/arora Cx -> sanitized_helper, + /usr/bin/conkeror Cx -> sanitized_helper, + /usr/bin/dillo Cx -> sanitized_helper, + /usr/bin/Dooble Cx -> sanitized_helper, + /usr/bin/epiphany Cx -> sanitized_helper, + /usr/bin/epiphany-browser Cx -> sanitized_helper, + /usr/bin/epiphany-webkit Cx -> sanitized_helper, + /usr/lib/fennec-*/fennec Cx -> sanitized_helper, + /usr/bin/galeon Cx -> sanitized_helper, + /usr/bin/kazehakase Cx -> sanitized_helper, + /usr/bin/konqueror Cx -> sanitized_helper, + /usr/bin/midori Cx -> sanitized_helper, + /usr/bin/netsurf Cx -> sanitized_helper, + /usr/bin/prism Cx -> sanitized_helper, + /usr/bin/rekonq Cx -> sanitized_helper, + /usr/bin/seamonkey Cx -> sanitized_helper, + /usr/bin/sensible-browser Pixr, + + /usr/bin/chromium{,-browser} Cx -> sanitized_helper, + /usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper, + + # this should cover all firefox browsers and versions (including shiretoko + # and abrowser) + /usr/bin/firefox Cxr -> sanitized_helper, + /usr/lib{,64}/firefox*/firefox* Cx -> sanitized_helper, + + # Iceweasel + /usr/bin/iceweasel Cxr -> sanitized_helper, + /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper, + + # some unpackaged, but popular browsers + /usr/lib/icecat-*/icecat Cx -> sanitized_helper, + /usr/bin/opera Cx -> sanitized_helper, + /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper, diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/java b/apparmor.d/abstractions/ubuntu-browsers.d/java new file mode 100644 index 00000000..e0a67cf3 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/java @@ -0,0 +1,118 @@ +# vim:syntax=apparmor + + # Java plugin + owner @{HOME}/.java/deployment/deployment.properties k, + /etc/java-*/ r, + /etc/java-*/** r, + /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr, + /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr, + /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk, + /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk, + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java, + /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java, + /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java, + owner /{,var/}run/user/*/icedteaplugin-*/ rw, + owner /{,var/}run/user/*/icedteaplugin-*/** rwk, + + # Profile for the supported OpenJDK in Ubuntu. This doesn't require the + # unfortunate workarounds of the proprietary Javas, so have a separate + # profile. + profile browser_openjdk { + #include + #include + #include + #include + #include + #include + #include + #include + + network inet stream, + network inet6 stream, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/ipv6_route r, + + /etc/java-*/ r, + /etc/java-*/** r, + /etc/lsb-release r, + /etc/ssl/certs/java/* r, + /etc/timezone r, + /etc/writable/timezone r, + + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/filesystems r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/** r, + /usr/share/** r, + /var/lib/dbus/machine-id r, + + /usr/bin/env ix, + /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix, + /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix, + /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m, + + # Why would java need this? + deny /usr/bin/gconftool-2 x, + + owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw, + owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r, + owner @{HOME}/ r, + owner @{HOME}/** rwk, + } + + # Profile for commercial Javas. These need workarounds to work right (eg + # Sun's forcing of an executable stack (LP: #535247)). + profile browser_java { + #include + #include + #include + #include + #include + #include + #include + #include + + network inet stream, + network inet6 stream, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/ipv6_route r, + @{PROC}/loadavg r, + + /etc/debian_version r, + /etc/java-*/ r, + /etc/java-*/** r, + /etc/lsb-release r, + /etc/ssl/certs/java/* r, + /etc/timezone r, + /etc/writable/timezone r, + + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/filesystems r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/** r, + /usr/share/** r, + /var/lib/dbus/machine-id r, + + /usr/bin/env ix, + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix, + /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m, + /usr/lib/j2*-ibm/jre/bin/java ix, + + # noisy, can't write here anyway + deny /etc/.java/ w, + deny /etc/.java/** w, + + deny /usr/bin/gconftool-2 x, + + owner @{HOME}/ r, + owner @{HOME}/** rwk, + + # These are seriously unfortunate, but required due to LP: #535247 + /etc/passwd m, + owner @{HOME}/.java/**/cache/** m, + owner /tmp/** m, + /usr/lib{,32,64}/jvm/**/*.jar mr, + /usr/share/fonts/** m, + } diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/kde b/apparmor.d/abstractions/ubuntu-browsers.d/kde new file mode 100644 index 00000000..038952a8 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/kde @@ -0,0 +1,7 @@ +# vim:syntax=apparmor +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + #include + /usr/bin/kde4-config Cx -> sanitized_helper, diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/mailto b/apparmor.d/abstractions/ubuntu-browsers.d/mailto new file mode 100644 index 00000000..40236a7b --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/mailto @@ -0,0 +1,9 @@ +# vim:syntax=apparmor + + # for mailto: + #include + #include + + # Terminals for using console applications. These abstractions should ideally + # have 'ix' to restrct access to what only firefox is allowed to do + #include diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/multimedia b/apparmor.d/abstractions/ubuntu-browsers.d/multimedia new file mode 100644 index 00000000..591d6b85 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/multimedia @@ -0,0 +1,66 @@ +# vim:syntax=apparmor +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + #include + + # Pulseaudio + /usr/bin/pulseaudio Pixr, + + # Image viewers + /usr/bin/eog Cxr -> sanitized_helper, + /usr/bin/gimp* Cxr -> sanitized_helper, + /usr/bin/shotwell Cxr -> sanitized_helper, + /usr/bin/digikam Cxr -> sanitized_helper, + /usr/bin/f-spot Cxr -> sanitized_helper, + /usr/bin/gwenview Cxr -> sanitized_helper, + + #include + owner @{HOME}/.adobe/ w, + owner @{HOME}/.adobe/** rw, + owner @{HOME}/.macromedia/ w, + owner @{HOME}/.macromedia/** rw, + /opt/real/RealPlayer/mozilla/nphelix.so rm, + /usr/bin/lpstat Cxr -> sanitized_helper, + /usr/bin/lpr Cxr -> sanitized_helper, + + # npviewer + /usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr, + /var/lib/ r, + /var/lib/**/*.so mr, + /usr/bin/setarch ixr, + + # Bittorrent clients + #include + + # Mozplugger + /etc/mozpluggerrc r, + /usr/bin/mozplugger-helper Cxr -> sanitized_helper, + + # Archivers + /usr/bin/ark Cxr -> sanitized_helper, + /usr/bin/file-roller Cxr -> sanitized_helper, + /usr/bin/xarchiver Cxr -> sanitized_helper, + /usr/local/lib{,32,64}/*.so* mr, + + # News feed readers + #include + + # Googletalk + /opt/google/talkplugin/*.so mr, + /opt/google/talkplugin/lib/*.so mr, + /opt/google/talkplugin/GoogleTalkPlugin ixr, + owner @{HOME}/.config/google-googletalkplugin/** rw, + + # If we allow the above, nvidia based systems will also need this + #include + + # Virus scanners + /usr/bin/clamscan Cx -> sanitized_helper, + + # gxine (LP: #1057642) + /var/lib/xine/gxine.desktop r, + + # For WebRTC camera access (LP: #1665535) + /dev/video[0-9]* rw, diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common b/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common new file mode 100644 index 00000000..c928f92c --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common @@ -0,0 +1,16 @@ +# vim:syntax=apparmor + + # + # Plugins/helpers + # + @{PROC}/@{pid}/fd/ r, + /usr/lib/** rm, + /{,usr/}bin/bash ixr, + /{,usr/}bin/dash ixr, + /{,usr/}bin/grep ixr, + /{,usr/}bin/sed ixr, + /usr/bin/m4 ixr, + + # Since all the ubuntu-browsers.d abstractions need this, just include it + # here + #include diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/productivity b/apparmor.d/abstractions/ubuntu-browsers.d/productivity new file mode 100644 index 00000000..2c898d13 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/productivity @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + # Openoffice.org + /usr/bin/ooffice Cxr -> sanitized_helper, + /usr/bin/oocalc Cxr -> sanitized_helper, + /usr/bin/oodraw Cxr -> sanitized_helper, + /usr/bin/ooimpress Cxr -> sanitized_helper, + /usr/bin/oowriter Cxr -> sanitized_helper, + /usr/lib/openoffice/program/soffice Cxr -> sanitized_helper, + + # LibreOffice + /usr/bin/libreoffice Cxr -> sanitized_helper, + /usr/bin/localc Cxr -> sanitized_helper, + /usr/bin/lodraw Cxr -> sanitized_helper, + /usr/bin/loimpress Cxr -> sanitized_helper, + /usr/bin/lowriter Cxr -> sanitized_helper, + /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper, + + # PDFs + /usr/bin/evince Cxr -> sanitized_helper, + /usr/bin/okular Cxr -> sanitized_helper, + + owner @{HOME}/.adobe/** rw, + /opt/Adobe/Reader9/bin/acroread Cxr -> sanitized_helper, + /opt/Adobe/Reader9/** r, diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/text-editors b/apparmor.d/abstractions/ubuntu-browsers.d/text-editors new file mode 100644 index 00000000..bf5eb1d1 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/text-editors @@ -0,0 +1,14 @@ +# vim:syntax=apparmor +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125]) + /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper, + /usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper, + /usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper, + /usr/bin/gedit Cxr -> sanitized_helper, + /usr/bin/vim.gnome Cxr -> sanitized_helper, + /usr/bin/leafpad Cxr -> sanitized_helper, + /usr/bin/mousepad Cxr -> sanitized_helper, + /usr/bin/kate Cxr -> sanitized_helper, diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration new file mode 100644 index 00000000..0cd0928e --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + # Apport + /usr/bin/apport-bug Cx -> sanitized_helper, + + # Package installation + /usr/bin/apturl Cxr -> sanitized_helper, + /usr/bin/gnome-codec-install Cxr -> sanitized_helper, + /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix, + /usr/lib/@{multiarch}/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix, + /usr/share/software-center/software-center Cxr -> sanitized_helper, + + # Input Methods + /usr/bin/scim Cx -> sanitized_helper, + /usr/bin/scim-bridge Cx -> sanitized_helper, + + # File managers + /usr/bin/nautilus Cxr -> sanitized_helper, + /usr/bin/{t,T}hunar Cxr -> sanitized_helper, + /usr/bin/dolphin Cxr -> sanitized_helper, + + # Themes + /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper, + + # Kubuntu + /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper, + + # Exo-aware applications + /usr/bin/exo-open ixr, + /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, + /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, + /etc/xdg/xfce4/helpers.rc r, + + # unity webapps integration. Could go in its own abstraction + owner /run/user/*/dconf/user rw, + owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk, + /usr/bin/debconf-communicate Cxr -> sanitized_helper, + owner @{HOME}/.config/libaccounts-glib/accounts.db rk, diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul new file mode 100644 index 00000000..0429c13f --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul @@ -0,0 +1,6 @@ +# vim:syntax=apparmor + + # firefox-notify + #include + /usr/bin/python2.[4567] ix, + /usr/share/xul-ext/notify/**/download_complete_notify.py ix, diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/user-files b/apparmor.d/abstractions/ubuntu-browsers.d/user-files new file mode 100644 index 00000000..ffe68245 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/user-files @@ -0,0 +1,28 @@ +# vim:syntax=apparmor + + # Allow read to all files user has DAC access to and write access to all + # files owned by the user in $HOME. + @{HOME}/ r, + @{HOME}/** r, + owner @{HOME}/** w, + + # Do not allow read and/or write to particularly sensitive/problematic files + #include + audit deny @{HOME}/.ssh/{,**} mrwkl, + audit deny @{HOME}/.gnome2_private/{,**} mrwkl, + audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, + audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, + + # Comment this out if using gpg plugin/addons + audit deny @{HOME}/.gnupg/{,**} mrwkl, + + # Allow read to all files user has DAC access to and write for files the user + # owns on removable media and filesystems. + /media/** r, + /mnt/** r, + /srv/** r, + /net/** r, + owner /media/** w, + owner /mnt/** w, + owner /srv/** w, + owner /net/** w, diff --git a/apparmor.d/abstractions/ubuntu-console-browsers b/apparmor.d/abstractions/ubuntu-console-browsers new file mode 100644 index 00000000..554469e7 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-console-browsers @@ -0,0 +1,18 @@ +# vim:syntax=apparmor +# +# abstraction for allowing access to text-only browsers in Ubuntu. These will +# typically also need a terminal, so when using this abstraction, should also +# do something like: +# +# #include +# +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + /usr/bin/elinks Cx -> sanitized_helper, + /usr/bin/links Cx -> sanitized_helper, + /usr/bin/lynx.cur Cx -> sanitized_helper, + /usr/bin/netrik Cx -> sanitized_helper, + /usr/bin/w3m Cx -> sanitized_helper, + diff --git a/apparmor.d/abstractions/ubuntu-console-email b/apparmor.d/abstractions/ubuntu-console-email new file mode 100644 index 00000000..f77c9bd6 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-console-email @@ -0,0 +1,18 @@ +# vim:syntax=apparmor +# +# abstraction for allowing console email clients in Ubuntu. These will +# typically also need a terminal, so when using this abstraction, should also +# do something like: +# +# #include +# +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + /usr/bin/alpine Cx -> sanitized_helper, + /usr/bin/citadel Cx -> sanitized_helper, + /usr/bin/cone Cx -> sanitized_helper, + /usr/bin/elmo Cx -> sanitized_helper, + /usr/bin/mutt Cx -> sanitized_helper, + diff --git a/apparmor.d/abstractions/ubuntu-email b/apparmor.d/abstractions/ubuntu-email new file mode 100644 index 00000000..48e0c6f4 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-email @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# +# abstraction for allowing graphical email clients in Ubuntu +# +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + /usr/bin/anjal Cx -> sanitized_helper, + /usr/bin/balsa Cx -> sanitized_helper, + /usr/bin/claws-mail Cx -> sanitized_helper, + /usr/bin/evolution Cx -> sanitized_helper, + /usr/bin/geary Cx -> sanitized_helper, + /usr/bin/gnome-gmail Cx -> sanitized_helper, + /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper, + /usr/bin/kmail Cx -> sanitized_helper, + /usr/bin/mailody Cx -> sanitized_helper, + /usr/bin/modest Cx -> sanitized_helper, + /usr/bin/seamonkey Cx -> sanitized_helper, + /usr/bin/sylpheed Cx -> sanitized_helper, + /usr/bin/tkrat Cx -> sanitized_helper, + + /usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop + /usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper, diff --git a/apparmor.d/abstractions/ubuntu-feed-readers b/apparmor.d/abstractions/ubuntu-feed-readers new file mode 100644 index 00000000..85379e30 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-feed-readers @@ -0,0 +1,10 @@ +# vim:syntax=apparmor +# +# abstraction for allowing graphical news feed readers in Ubuntu +# +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + /usr/bin/akregator Cxr -> sanitized_helper, + /usr/bin/liferea-add-feed Cxr -> sanitized_helper, diff --git a/apparmor.d/abstractions/ubuntu-gnome-terminal b/apparmor.d/abstractions/ubuntu-gnome-terminal new file mode 100644 index 00000000..7604df1e --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-gnome-terminal @@ -0,0 +1,10 @@ +# vim:syntax=apparmor +# +# for allowing access to gnome-terminal +# + + #include + + # do not use ux or PUx here. Use at a minimum ix + /usr/bin/gnome-terminal ix, + diff --git a/apparmor.d/abstractions/ubuntu-helpers b/apparmor.d/abstractions/ubuntu-helpers new file mode 100644 index 00000000..a1ab7bc0 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-helpers @@ -0,0 +1,83 @@ +# Lenient profile that is intended to be used when 'Ux' is desired but +# does not provide enough environment sanitizing. This effectively is an +# open profile that blacklists certain known dangerous files and also +# does not allow any capabilities. For example, it will not allow 'm' on files +# owned be the user invoking the program. While this provides some additional +# protection, please use with care as applications running under this profile +# are effectively running without any AppArmor protection. Use this profile +# only if the process absolutely must be run (effectively) unconfined. +# +# Usage: +# Because this abstraction defines the sanitized_helper profile, it must only +# be #included once. Therefore this abstraction should typically not be +# included in other abstractions so as to avoid parser errors regarding +# multiple definitions. +# +# Limitations: +# 1. This does not work for root owned processes, because of the way we use +# owner matching in the sanitized helper. We could do a better job with +# this to support root, but it would make the policy harder to understand +# and going unconfined as root is not desirable any way. +# +# 2. For this sanitized_helper to work, the program running in the sanitized +# environment must open symlinks directly in order for AppArmor to mediate +# it. This is confirmed to work with: +# - compiled code which can load shared libraries +# - python imports +# It is known not to work with: +# - perl includes +# 3. Sanitizing ruby and java +# +# Use at your own risk. This profile was developed as an interim workaround for +# LP: #851986 until AppArmor utilizes proper environment filtering. + +profile sanitized_helper { + #include + #include + + # Allow all networking + network inet, + network inet6, + + # Allow all DBus communications + #include + #include + dbus, + + # Needed for Google Chrome + ptrace (trace) peer=**//sanitized_helper, + + # Allow exec of anything, but under this profile. Allow transition + # to other profiles if they exist. + /{usr/,usr/local/,}{bin,sbin}/* Pixr, + + # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* + /usr/{,local/}lib*/{,**/}* Pixr, + + # Allow exec of software-center scripts. We may need to allow wider + # permissions for /usr/share, but for now just do this. (LP: #972367) + /usr/share/software-center/* Pixr, + + # Allow exec of texlive font build scripts (LP: #1010909) + /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr, + + # While the chromium and chrome sandboxes are setuid root, they only link + # in limited libraries so glibc's secure execution should be enough to not + # require the santized_helper (ie, LD_PRELOAD will only use standard system + # paths (man ld.so)). + /usr/lib/chromium-browser/chromium-browser-sandbox PUxr, + /usr/lib/chromium{,-browser}/chrome-sandbox PUxr, + /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr, + /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr, + /opt/google/chrome{,-beta,-unstable}/chrome Pixr, + /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m, + + # Full access + / r, + /** rwkl, + /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m, + + # Dangerous files + audit deny owner /**/* m, # compiled libraries + audit deny owner /**/*.py* r, # python imports +} diff --git a/apparmor.d/abstractions/ubuntu-konsole b/apparmor.d/abstractions/ubuntu-konsole new file mode 100644 index 00000000..baa8fb39 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-konsole @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# +# for allowing access to konsole +# + + #include + #include + capability sys_ptrace, + @{PROC}/@{pid}/status r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + /{,var/}run/utmp r, + /dev/ptmx rw, + + # do not use ux or Ux here. Use at a minimum ix + /usr/bin/konsole ix, + diff --git a/apparmor.d/abstractions/ubuntu-media-players b/apparmor.d/abstractions/ubuntu-media-players new file mode 100644 index 00000000..5918cb8c --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-media-players @@ -0,0 +1,60 @@ +# vim:syntax=apparmor +# +# abstraction for allowing access to media players in Ubuntu +# +# Users of this abstraction need to #include the ubuntu-helpers abstraction +# in the toplevel profile. Eg: +# #include + + /usr/bin/amarok Cxr -> sanitized_helper, + /usr/bin/audacious2 Cxr -> sanitized_helper, + /usr/bin/audacity Cxr -> sanitized_helper, + /usr/bin/bangarang Cxr -> sanitized_helper, + /usr/bin/banshee Cxr -> sanitized_helper, + /usr/bin/banshee-1 Cxr -> sanitized_helper, + /usr/bin/decibel Cxr -> sanitized_helper, + /usr/bin/dragon Cxr -> sanitized_helper, + /usr/bin/esperanza Cxr -> sanitized_helper, + /usr/bin/exaile Cxr -> sanitized_helper, + /usr/bin/freevo Cxr -> sanitized_helper, + /usr/bin/gmerlin Cxr -> sanitized_helper, + /usr/bin/gxmms Cxr -> sanitized_helper, + /usr/bin/gxmms2 Cxr -> sanitized_helper, + /usr/bin/hornsey Cxr -> sanitized_helper, + /usr/bin/jlgui Cxr -> sanitized_helper, + /usr/bin/juk Cxr -> sanitized_helper, + /usr/bin/kaffeine Cxr -> sanitized_helper, + /usr/bin/listen Cxr -> sanitized_helper, + /usr/share/minirok/minirok.py Cxr -> sanitized_helper, + + # mplayer + /etc/mplayerplug-in.conf r, + /usr/bin/gmplayer Cxr -> sanitized_helper, + /usr/bin/gnome-mplayer Cxr -> sanitized_helper, + /usr/bin/kmplayer Cxr -> sanitized_helper, + /usr/bin/mplayer Cxr -> sanitized_helper, + /usr/bin/smplayer Cxr -> sanitized_helper, + + /usr/bin/muine Cxr -> sanitized_helper, + /usr/bin/potamus Cxr -> sanitized_helper, + /usr/bin/promoe Cxr -> sanitized_helper, + /usr/bin/qmmp Cxr -> sanitized_helper, + /usr/bin/quodlibet Cxr -> sanitized_helper, + /usr/bin/rhythmbox Cxr -> sanitized_helper, + /usr/bin/strange-quark Cxr -> sanitized_helper, + /usr/bin/swfdec-player Cxr -> sanitized_helper, + /usr/bin/timidity Cxr -> sanitized_helper, + /usr/lib/totem/** ixr, + /usr/bin/totem-gstreamer Cxr -> sanitized_helper, + /usr/bin/totem-xine Cxr -> sanitized_helper, + /usr/bin/totem Cxr -> sanitized_helper, + /usr/bin/vlc Cxr -> sanitized_helper, + /usr/bin/xfmedia Cxr -> sanitized_helper, + /usr/bin/xmms Cxr -> sanitized_helper, + + # gnash + /usr/bin/gtk-gnash ixr, + /etc/gnashrc r, + /etc/gnashpluginrc r, + owner @{HOME}/.gnash/ rw, + owner @{HOME}/.gnash/** rw, diff --git a/apparmor.d/abstractions/ubuntu-unity7-base b/apparmor.d/abstractions/ubuntu-unity7-base new file mode 100644 index 00000000..25e88b69 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-unity7-base @@ -0,0 +1,100 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2013-2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# +# Rules common to applications running under Unity 7 +# + +#include + +#include +#include + + # + # Access required for connecting to/communication with Unity HUD + # + dbus (send) + bus=session + path="/com/canonical/hud", + dbus (send) + bus=session + interface="com.canonical.hud.*", + dbus (send) + bus=session + path="/com/canonical/hud/applications/*", + dbus (receive) + bus=session + path="/com/canonical/hud", + dbus (receive) + bus=session + interface="com.canonical.hud.*", + + # + # Allow access for connecting to/communication with the appmenu + # + # dbusmenu + dbus (send) + bus=session + interface="com.canonical.AppMenu.*", + dbus (receive, send) + bus=session + path=/com/canonical/menu/**, + + # gmenu + dbus (receive, send) + bus=session + interface=org.gtk.Actions, + dbus (receive, send) + bus=session + interface=org.gtk.Menus, + + # + # Access required for using freedesktop notifications + # + dbus (send) + bus=session + path=/org/freedesktop/Notifications + member=GetCapabilities, + dbus (send) + bus=session + path=/org/freedesktop/Notifications + member=GetServerInformation, + dbus (send) + bus=session + path=/org/freedesktop/Notifications + member=Notify, + dbus (receive) + bus=session + member="Notify" + peer=(name="org.freedesktop.DBus"), + dbus (receive) + bus=session + path=/org/freedesktop/Notifications + member=NotificationClosed, + dbus (send) + bus=session + path=/org/freedesktop/Notifications + member=CloseNotification, + + # accessibility + dbus (send) + bus=session + peer=(name=org.a11y.Bus), + dbus (receive) + bus=session + interface=org.a11y.atspi*, + dbus (receive, send) + bus=accessibility, + + # + # Deny potentially dangerous access + # + deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**, diff --git a/apparmor.d/abstractions/ubuntu-unity7-launcher b/apparmor.d/abstractions/ubuntu-unity7-launcher new file mode 100644 index 00000000..52f6cd43 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-unity7-launcher @@ -0,0 +1,7 @@ + # + # Access required for connecting to/communicating with the Unity Launcher + # + dbus (send) + bus=session + interface="com.canonical.Unity.LauncherEntry" + member="Update", diff --git a/apparmor.d/abstractions/ubuntu-unity7-messaging b/apparmor.d/abstractions/ubuntu-unity7-messaging new file mode 100644 index 00000000..828592ee --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-unity7-messaging @@ -0,0 +1,7 @@ + # + # Access required for connecting to/communicating with the Unity messaging + # indicator + # + dbus (receive, send) + bus=session + path="/com/canonical/indicator/messages/*", diff --git a/apparmor.d/abstractions/ubuntu-xterm b/apparmor.d/abstractions/ubuntu-xterm new file mode 100644 index 00000000..a062cc72 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-xterm @@ -0,0 +1,13 @@ +# vim:syntax=apparmor +# +# for allowing access to xterm +# + + #include + /dev/ptmx rw, + /{,var/}run/utmp r, + /etc/X11/app-defaults/XTerm r, + + # do not use ux or Ux here. Use at a minimum ix + /usr/bin/xterm ix, + diff --git a/apparmor.d/abstractions/user-download b/apparmor.d/abstractions/user-download new file mode 100644 index 00000000..ea1043a3 --- /dev/null +++ b/apparmor.d/abstractions/user-download @@ -0,0 +1,24 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Description: Where common programs should allow users to download +# files + + owner @{HOME}/tmp/** rwl, + owner @{HOME}/[dD]ownload{,s}/ r, + owner @{HOME}/[dD]ownload{,s}/** rwl, + owner @{HOME}/[^.]* rwl, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/* rwl, + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/* rwl, + owner "@{HOME}/My Downloads/" r, + owner "@{HOME}/My Downloads/**" rwl, diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict new file mode 100644 index 00000000..bc2a5b74 --- /dev/null +++ b/apparmor.d/abstractions/user-download-strict @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + owner @{HOME}/[dD]ownload{,s}/ r, + owner @{HOME}/[dD]ownload{,s}/** rwl, + + owner /media/*/[dD]ownload/ r, + owner /media/*/[dD]ownload/** rwl, + + owner @{HOME}/[dD]esktop/ r, + owner @{HOME}/[dD]esktop/** rwl, + + # For SSHFS mounts (without owner as files in such mounts can be owned by different users) + @{HOME}/mount-sshfs/ r, + @{HOME}/mount-sshfs/** rwl, diff --git a/apparmor.d/abstractions/user-mail b/apparmor.d/abstractions/user-mail new file mode 100644 index 00000000..b799ffca --- /dev/null +++ b/apparmor.d/abstractions/user-mail @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # location of user mail, spool and mboxes + owner @{HOME}/[mM]ail/ r, + owner @{HOME}/[mM]ail/** rwl, + owner @{HOME}/postponed* rwl, + /var/{,spool/}mail/ r, + owner /var/{,spool/}mail/* rwl, + owner @{HOME}/mbox.lock* rwl, + owner @{HOME}/mbox rw, + owner @{HOME}/inbox rw, + owner @{HOME}/.forward r, + owner @{HOME}/Maildir/ r, + owner @{HOME}/Maildir/** rwl, diff --git a/apparmor.d/abstractions/user-manpages b/apparmor.d/abstractions/user-manpages new file mode 100644 index 00000000..b7cc0cb8 --- /dev/null +++ b/apparmor.d/abstractions/user-manpages @@ -0,0 +1,24 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # perhaps your configuration has users elsewhere, or you don't wish + # them to read their own manpages + owner @{HOME}/man/ r, + owner @{HOME}/man/** r, + owner @{HOME}/tmp/groff* rwl, + + # kindof required + owner /tmp/groff* rwl, + + # standard system manpages + /usr/local/share/man/man?/ r, + /usr/local/share/man/man?/** r, + /usr/{share,X11R6,local,kerberos}/man/** r, + /usr/man/** r, diff --git a/apparmor.d/abstractions/user-tmp b/apparmor.d/abstractions/user-tmp new file mode 100644 index 00000000..63993d60 --- /dev/null +++ b/apparmor.d/abstractions/user-tmp @@ -0,0 +1,20 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # per-user tmp directories + owner @{HOME}/tmp/** rwkl, + owner @{HOME}/tmp/ rw, + + # global tmp directories + owner /var/tmp/** rwkl, + /var/tmp/ rw, + owner /tmp/** rwkl, + /tmp/ rw, diff --git a/apparmor.d/abstractions/user-write b/apparmor.d/abstractions/user-write new file mode 100644 index 00000000..c6ea29bd --- /dev/null +++ b/apparmor.d/abstractions/user-write @@ -0,0 +1,21 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # per-user write directories + owner @{HOME}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ r, + owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ r, + owner @{HOME}/[^.]*/ rw, + owner @{HOME}/[^.]* rwl, + owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwl, + owner @{HOME}/@{XDG_DOCUMENTS_DIR}/** rwl, + owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rwl, diff --git a/apparmor.d/abstractions/video b/apparmor.d/abstractions/video new file mode 100644 index 00000000..00a83468 --- /dev/null +++ b/apparmor.d/abstractions/video @@ -0,0 +1,6 @@ +# vim:syntax=apparmor +# video device access + + # System devices + @{sys}/class/video4linux r, + @{sys}/class/video4linux/** r, diff --git a/apparmor.d/abstractions/vlc-art-cache-write b/apparmor.d/abstractions/vlc-art-cache-write new file mode 100644 index 00000000..40a36bf3 --- /dev/null +++ b/apparmor.d/abstractions/vlc-art-cache-write @@ -0,0 +1,21 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/vlc/ rw, + owner @{HOME}/.cache/vlc/art/ rw, + owner @{HOME}/.cache/vlc/art/artistalbum/ rw, + owner @{HOME}/.cache/vlc/art/artistalbum/**/ rw, + owner @{HOME}/.cache/vlc/art/artistalbum/**/art rw, + owner @{HOME}/.cache/vlc/art/artistalbum/**/art.jpg rw, + diff --git a/apparmor.d/abstractions/vulkan b/apparmor.d/abstractions/vulkan new file mode 100644 index 00000000..7f0d8cb9 --- /dev/null +++ b/apparmor.d/abstractions/vulkan @@ -0,0 +1,15 @@ +# vim:syntax=apparmor +# Vulkan access requirements + + # System files + /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa) + /etc/vulkan/icd.d/{,*.json} r, + /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r, + # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa) + @{sys}/devices/pci[0-9]*/*/drm/ r, + /usr/share/vulkan/icd.d/{,*.json} r, + /usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r, + + # User files + owner @{HOME}/.local/share/vulkan/implicit_layer.d/{,*.json} r, + diff --git a/apparmor.d/abstractions/wayland b/apparmor.d/abstractions/wayland new file mode 100644 index 00000000..045865eb --- /dev/null +++ b/apparmor.d/abstractions/wayland @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 intrigeri +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + owner /{,var/}run/user/[0-9]*/weston-shared-* rw, + owner /{,var/}run/user/[0-9]*/wayland-[0-9]* rw, + owner /{,var/}run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, diff --git a/apparmor.d/abstractions/web-data b/apparmor.d/abstractions/web-data new file mode 100644 index 00000000..0baf2990 --- /dev/null +++ b/apparmor.d/abstractions/web-data @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /srv/www/htdocs/ r, + /srv/www/htdocs/** r, + # virtual hosting + /srv/www/vhosts/ r, + /srv/www/vhosts/** r, + # mod_userdir + @{HOME}/public_html/ r, + @{HOME}/public_html/** r, + + /srv/www/rails/*/public/ r, + /srv/www/rails/*/public/** r, + + /var/www/html/ r, + /var/www/html/** r, diff --git a/apparmor.d/abstractions/winbind b/apparmor.d/abstractions/winbind new file mode 100644 index 00000000..e982889e --- /dev/null +++ b/apparmor.d/abstractions/winbind @@ -0,0 +1,21 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # pam_winbindd + /tmp/.winbindd/pipe rw, + /var/{lib,run}/samba/winbindd_privileged/pipe rw, + /etc/samba/smb.conf r, + /etc/samba/dhcp.conf r, + /usr/lib*/samba/valid.dat r, + /usr/lib*/samba/upcase.dat r, + /usr/lib*/samba/lowcase.dat r, + /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, + diff --git a/apparmor.d/abstractions/wutmp b/apparmor.d/abstractions/wutmp new file mode 100644 index 00000000..d7509558 --- /dev/null +++ b/apparmor.d/abstractions/wutmp @@ -0,0 +1,16 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # some services update wtmp, utmp, and lastlog with per-user + # connection information + /var/log/lastlog rwk, + /var/log/wtmp wk, + /{,var/}run/utmp rwk, diff --git a/apparmor.d/abstractions/xad b/apparmor.d/abstractions/xad new file mode 100644 index 00000000..54b0f40e --- /dev/null +++ b/apparmor.d/abstractions/xad @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2007 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /opt/novell/xad/lib/ r, + /opt/novell/xad/lib/lib*.so* mr, + /opt/novell/xad/lib/gss/*.so* mr, + /opt/novell/lib/libpthread_ext*.so* mr, + /opt/novell/lib/libccs2.so* mr, + /opt/novell/xad/lib64/ r, + /opt/novell/xad/lib64/lib*.so* mr, + /opt/novell/xad/lib64/gss/*.so* mr, + /opt/novell/lib64/libpthread_ext*.so* mr, + /opt/novell/lib64/libccs2.so* mr, + /etc/opt/novell/xad/krb5.conf r, + /etc/opt/novell/nici.cfg r, + /var/opt/novell/nici/* r, + /var/opt/novell/nici/*/ r, + /var/opt/novell/nici/*/* rw, diff --git a/apparmor.d/abstractions/xdg-desktop b/apparmor.d/abstractions/xdg-desktop new file mode 100644 index 00000000..bc8f6a00 --- /dev/null +++ b/apparmor.d/abstractions/xdg-desktop @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # Entries based on: + # http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html + + owner @{HOME}/.cache/ rw, + + owner @{HOME}/.config/ rw, + + owner @{HOME}/.local/ rw, + owner @{HOME}/.local/share/ rw, + + # fallbacks + /usr/share/ r, + /usr/local/share/ r, diff --git a/apparmor.d/abstractions/xdg-open b/apparmor.d/abstractions/xdg-open new file mode 100644 index 00000000..a7692fae --- /dev/null +++ b/apparmor.d/abstractions/xdg-open @@ -0,0 +1,81 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via xdg-open helper. xdg-open abstraction +# will allow to use gio-open, kde-open5 and other helpers of the different +# desktop environments. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/xdg-open rPx -> foo//xdg-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//xdg-open { +# #include +# +# # Enable a11y support if considered required by +# # profile author for (rare) error message boxes. +# #include +# +# # Enable gstreamer support if considered required by +# # profile author for (rare) error message boxes. +# include if exists +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } +# ``` + + #include + + # for openin with `exo-open` + #include + + # for opening with `gio open ` + #include + + # for opening with gvfs-open (deprecated) + #include + + # for opening with kde-open5 + ##include + + # Main executables + + /{,usr/}bin/{b,d}ash mr, + /usr/bin/xdg-open r, + + # Additional executables + + /usr/bin/xdg-mime rix, + /{,usr/}bin/cut rix, # for xdg-mime + /{,usr/}bin/head rix, # for xdg-mime + /{,usr/}bin/sed rix, # for xdg-open + /{,usr/}bin/tr rix, # for xdg-mime + /{,usr/}bin/which rix, # for xdg-open + /{,usr/}bin/{grep,egrep} rix, # for xdg-open + + # System files + + /dev/pts/[0-9]* rw, + /dev/tty w, + /etc/gnome/defaults.list r, # for grep + /usr/share/applications/mimeinfo.cache r, # for grep + /usr/share/terminfo/s/screen r, # for bash on openSUSE + /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime + /var/lib/menu-xdg/applications/ r, # for xdg-mime + + # Usr files + + owner @{HOME}/.local/share/applications/{,*.desktop} r, diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh new file mode 100644 index 00000000..222c714f --- /dev/null +++ b/apparmor.d/abstractions/zsh @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + #abi , + + /usr/share/zsh/{,**} r, + /usr/local/share/zsh/{,**} r, + + /{usr/,}lib/@{multiarch}/zsh/[0-9]*/zsh/*.so mr, + + /etc/zsh/zshenv r, + /etc/zsh/zshrc r, + /etc/zsh/zprofile r, + /etc/zsh/zlogin r, + + owner @{HOME}/.zshrc r, + owner @{HOME}/.zsh_history rw, + owner @{HOME}/.zsh_history.LOCK rwk, + + owner @{HOME}/.oh-my-zsh/{,**} r, + owner @{HOME}/.oh-my-zsh/log/update.lock/ w, + + owner @{HOME}/.zcompdump-* rw, diff --git a/apparmor.d/accounts-daemon b/apparmor.d/accounts-daemon new file mode 100644 index 00000000..e0b0acad --- /dev/null +++ b/apparmor.d/accounts-daemon @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon /usr/libexec/accounts-daemon +profile accounts-daemon @{exec_path} { + #include + #include + #include + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + owner /var/lib/AccountsService/ r, + owner /var/lib/AccountsService/** rw, + + /usr/share/accountsservice/{,**} r, + + /usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r, + + /etc/shells r, + /etc/shadow r, + + /var/log/wtmp r, + + #include if exists +} diff --git a/apparmor.d/acpi b/apparmor.d/acpi new file mode 100644 index 00000000..b1bcbeb9 --- /dev/null +++ b/apparmor.d/acpi @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/acpi +profile acpi @{exec_path} flags=(complain) { + #include + + @{exec_path} mr, + + @{sys}/class/thermal/ r, + @{sys}/class/power_supply/ r, + + @{sys}/devices/**/power_supply/{,**} r, + @{sys}/devices/virtual/thermal/{,**} r, + + + #include if exists +} diff --git a/apparmor.d/adduser b/apparmor.d/adduser new file mode 100644 index 00000000..1a6cf53f --- /dev/null +++ b/apparmor.d/adduser @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/add{user,group} +profile adduser @{exec_path} { + #include + #include + #include + #include + + # To create a user home dir and give it proper permissions: + # mkdir("/home/user", 0755) = 0 + # chown("/home/user", 1001, 1001) = 0 + # chmod("/home/user", 0755) = 0 + capability chown, + capability fowner, + + # To set the set-group-ID bit for the user home dir (SETGID_HOME=yes). + capability fsetid, + + # To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different + # owner. + capability dac_read_search, + capability dac_override, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, + + /{usr/,}sbin/useradd rPx, + /{usr/,}sbin/userdel rPx, + /{usr/,}sbin/groupdel rPx, + /{usr/,}sbin/groupadd rPx, + /{usr/,}sbin/usermod rPx, + /{usr/,}bin/passwd rPx, + /{usr/,}bin/gpasswd rPx, + /{usr/,}bin/chfn rPx, + /{usr/,}bin/chage rPx, + + /etc/{group,passwd,shadow} r, + + /etc/adduser.conf r, + + # To create user dirs + @{HOME}/ rw, + + # To copy files from /etc/skel/ to user dirs + @{HOME}/.* w, + /etc/skel/{,.*} r, + + # What's this for? (#FIXME#) + /var/lib/lightdm/{,*} w, + /var/lib/sddm/{,*} w, + + #include if exists +} diff --git a/apparmor.d/adequate b/apparmor.d/adequate new file mode 100644 index 00000000..f2c6b54b --- /dev/null +++ b/apparmor.d/adequate @@ -0,0 +1,114 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/adequate +profile adequate @{exec_path} flags=(complain) { + #include + #include + #include + #include + + #capability sys_tty_config, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}sbin/ldconfig rix, + + # It wants to ldd all binaries/libs in packages. + /{usr/,}bin/ldd rCx -> ldd, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + /{usr/,}bin/pkg-config rCx -> pkg-config, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/update-alternatives rPx, + + /var/lib/adequate/pending rwk, + + /etc/shadow r, + + /usr/share/python{,3}/debian_defaults r, + /usr/share/doc/*/copyright r, + /usr/share/**/__pycache__/ r, + /usr/**/*.py r, + + + profile ldd flags=(complain) { + #include + #include + + /{usr/,}bin/ldd mr, + + /{usr/,}bin/* mr, + /{usr/,}sbin/* mr, + /usr/games/* mr, + /{usr/,}lib{,x}{,32,64}/** mr, + /{usr/,}lib/@{multiarch}/** mr, + /usr/share/** r, + + /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, + + /{usr/,}lib/@{multiarch}/ld-*.so rix, + /{usr/,}lib{,x}32/ld-*.so rix, + + } + + profile frontend flags=(complain) { + #include + #include + #include + #include + + /usr/share/debconf/frontend r, + /{usr/,}bin/perl r, + + /{usr/,}bin/adequate rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + # The following is needed when debconf uses GUI frontends. + #include + #include + #include + #include + capability dac_read_search, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/hostname rPx, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + /etc/shadow r, + + } + + profile pkg-config flags=(complain) { + #include + + /{usr/,}bin/pkg-config mr, + + } + + #include if exists +} diff --git a/apparmor.d/amarok b/apparmor.d/amarok new file mode 100644 index 00000000..e0bc6ee2 --- /dev/null +++ b/apparmor.d/amarok @@ -0,0 +1,200 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Audio extensions +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, +@{amarok_ext} = [aA]{52,[aA][cC],[cC]3} +@{amarok_ext} += [mM][kK][aA] +@{amarok_ext} += [fF][lL][aA][cC] +@{amarok_ext} += [mM][pP][123cC] +@{amarok_ext} += [oO][gGmM][aA] +@{amarok_ext} += [wW]{,[aA]}[vV] +@{amarok_ext} += [wW][mM]{,[aA]} + +# Image extensions +# bmp, jpg, jpeg, png, gif +@{amarok_ext} += [bB][mM][pP] +@{amarok_ext} += [jJ][pP]{,[eE]}[gG] +@{amarok_ext} += [pP][nN][gG] +@{amarok_ext} += [gG][iI][fF] + +# Playlist extensions +# m3u, m3u8, pls +@{amarok_ext} += [mM]3[uU]{,8} +@{amarok_ext} += [pP][lL][sS] + +@{exec_path} = /{usr/,}bin/amarok +profile amarok @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + ptrace (trace) peer=@{profile_name}, + + # Signals to kdeinit4 (unconfined) + signal (send) peer=unconfined, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/amarokcollectionscanner rix, + /{usr/,}bin/kde4-config rix, + + /{usr/,}lib/kde4/libexec/lnusertemp rix, + /{usr/,}lib/kde4/libexec/drkonqi rix, + + /{usr/,}bin/kglobalaccel rPUx, + /{usr/,}bin/kbuildsycoca4 rPUx, + /{usr/,}bin/kdeinit4 rPUx, + /{usr/,}bin/knotify4 rPUx, + /{usr/,}bin/ffmpeg rPUx, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + + # Which media files Amarok should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{amarok_ext} rw, + + # Amarok home files + owner @{HOME}/.kde{,4}/share/apps/amarok/ rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/** rwk, + + owner @{HOME}/.kde{,4}/share/apps/knewstuff3/amarok.knsregistry rw, + owner @{HOME}/.kde{,4}/share/config/amarokrc* rw, + owner @{HOME}/.kde{,4}/share/config/amarok_homerc* rw, + owner @{HOME}/.kde{,4}/share/config/amarok-appletsrcm* rw, + owner @{HOME}/.kde{,4}/share/config/amarok-appletsrc* rw, + + owner @{HOME}/.kde{,4}/share/config/kcookiejarrc r, + owner @{HOME}/.kde{,4}/share/config/kio_httprc r, + owner @{HOME}/.kde{,4}/share/config/kioslaverc r, + owner @{HOME}/.kde{,4}/share/config/ktimezonedrc r, + + # Phonon + /{usr/,}lib/@{multiarch}/qt4/plugins/phonon_backend/phonon_vlc.so mr, + + # VLC backend + /{usr/,}lib/@{multiarch}/vlc/plugins/plugins.dat.* r, + /usr/share/vlc/** r, + + # Cache for art images + owner @{HOME}/.kde{,4}/ rw, + owner @{HOME}/.kde{,4}/share/ rw, + owner @{HOME}/.kde{,4}/share/apps/ rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/ rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/ rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/ rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@[0-9a-f]* rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@nocover.png rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache rw, + + owner @{HOME}/.local/share/user-places.xbel rw, + + owner @{HOME}/.config/Trolltech.conf rwk, + + deny /etc/rpc r, + + deny /etc/gnome-vfs-2.0/modules/default-modules.conf r, + + deny owner @{PROC}/@{pid}/cmdline r, + deny owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + # TMP + owner /tmp/#sql_*.{MAI,MAD} rw, + owner /tmp/qipc_{systemsem,sharedmemory}_AmarokScannerMemory[a-f0-9]* rw, + owner /tmp/qt_temp.* rw, + owner /tmp/xauth-[0-9]*-_[0-9] r, + owner /tmp/kde-*/ rw, + + /usr/share/icons/*/index.theme rk, + + /{var/,}run/user/[0-9]*/ksocket-*/amarok*.slave-socket rw, + + # What's this for? + deny /etc/mysql/** r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + deny /usr/share/anyremote/** r, + owner @{HOME}/.anyRemote/anyremote.stdout w, + + # Udev silencer + deny @{sys}/bus/ r, + deny @{sys}/class/ r, + deny @{sys}/devices/ r, + deny @{sys}/devices/virtual/net/**/{uevent,type} r, + deny @{sys}/devices/virtual/sound/seq/uevent r, + deny @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{manufacturer,product,uevent,type} r, + deny @{sys}/devices/system/node/ r, + deny /{,var/}run/udev/data/* r, + + # To generate the crash log info in Amarok + /{usr/,}bin/gdb rCx -> gdb, + profile gdb { + #include + #include + + /{usr/,}bin/gdb mr, + /usr/share/glib-2.0/gdb/{,**} r, + + @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/stat r, + owner @{PROC}/@{pids}/task/@{tid}/maps r, + owner @{PROC}/@{pids}/mem r, + + /{usr/,}bin/iconv rix, + /usr/share/gdb/python/ r, + /usr/share/gdb/python/{,**} r, + + ptrace (trace), + + /{usr/,}bin/* r, + + /usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/*.py r, + /usr/share/gdb/auto-load/lib/x86_64-linux-gnu/*.py r, + /usr/share/gcc-[0-9]*/python/{,**} r, + + # Silencer + deny /usr/share/** w, + + } + + #include if exists +} diff --git a/apparmor.d/amixer b/apparmor.d/amixer new file mode 100644 index 00000000..a231a7d5 --- /dev/null +++ b/apparmor.d/amixer @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/amixer +profile amixer @{exec_path} { + #include + #include + + @{exec_path} mr, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{HOME}/.Xauthority r, + + owner @{HOME}/.config/pulse/ r, + + #include if exists +} diff --git a/apparmor.d/android-studio b/apparmor.d/android-studio new file mode 100644 index 00000000..414858ac --- /dev/null +++ b/apparmor.d/android-studio @@ -0,0 +1,272 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{AS_LIBDIR} = /media/*/android-studio +@{AS_SDKDIR} = /media/*/SDK +@{AS_HOMEDIR} = @{HOME}/.AndroidStudio* +@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects + +@{exec_path} = @{AS_LIBDIR}/bin/studio.sh +profile android-studio @{exec_path} { + #include + #icnlude + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + capability sys_ptrace, + + signal (send) set=(term, kill) peer=android-studio//lsb-release, + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/which rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sed rix, + + /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/chattr rix, + /{usr/,}bin/setsid rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/kill rix, + + /{usr/,}bin/lsusb rPx, + /{usr/,}bin/xprop rPx, + /{usr/,}bin/xdg-mime rPx, + /{usr/,}bin/ps rPx, + /{usr/,}bin/git rPx, + + /{usr/,}bin/lsb_release rCx -> lsb-release, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/xdg-open rCx -> open, + + /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix, + + /etc/java-[0-9]*-openjdk/** r, + /usr/share/java/java-atk-wrapper.jar r, + + /etc/ssl/certs/java/cacerts r, + + / r, + /home/ r, + /media/ r, + /media/*/ r, + /usr/ r, + /{usr/,}lib/ r, + + @{AS_LIBDIR}/ rw, + @{AS_LIBDIR}/** mrwkix, + + # A standard system android SDK location. + # Currently there is only the target platform of API Level 23 packaged, so only apps targeted at + # android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in + # order to use the SDK, build scripts need to be modified. + /{usr/,}lib/android-sdk/ r, + /{usr/,}lib/android-sdk/** mrkix, + /usr/share/android-sdk-platform-*/{,**} r, + deny /{usr/,}lib/android-sdk/build-tools/*/package.xml w, + deny /{usr/,}lib/android-sdk/platforms/android-*/package.xml w, + deny /{usr/,}lib/android-sdk/.knownPackages w, + + # This one is used if the standard android SDK location is missing + @{AS_SDKDIR}/ rw, + @{AS_SDKDIR}/** mrwkix, + + owner @{AS_HOMEDIR}/ rw, + owner @{AS_HOMEDIR}/** mrwkix, + + owner @{AS_PROJECTDIR}/ rw, + owner @{AS_PROJECTDIR}/** rwk, + + owner @{HOME}/AndroidStudio/ rw, + owner @{HOME}/AndroidStudio/DeviceExplorer/ rw, + owner @{HOME}/AndroidStudio/DeviceExplorer/** rw, + + owner "@{HOME}/.config/Android Open Source Project/" rw, + owner "@{HOME}/.config/Android Open Source Project/**" rwk, + + owner @{HOME}/.cache/ rw, + owner "@{HOME}/.cache/Android Open Source Project/" rw, + owner "@{HOME}/.cache/Android Open Source Project/**" rw, + + owner @{HOME}/.gradle/ rw, + owner @{HOME}/.gradle/** mrwkix, + + owner @{HOME}/ r, + owner @{HOME}/.android/ rw, + owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**, + + owner @{HOME}/.local/share/Google/ rw, + owner @{HOME}/.local/share/Google/consentOptions/ rw, + owner @{HOME}/.local/share/Google/consentOptions/accepted rw, + + owner @{HOME}/.local/share/kotlin/ rw, + owner @{HOME}/.local/share/kotlin/** rw, + + owner "@{HOME}/.local/share/Android Open Source Project/" rw, + owner "@{HOME}/.local/share/Android Open Source Project/**" rwk, + + owner @{HOME}/.java/ rw, + owner @{HOME}/.java/fonts/ rw, + owner @{HOME}/.java/fonts/*/ rw, + owner @{HOME}/.java/fonts/*/fcinfo*.tmp rw, + owner @{HOME}/.java/fonts/*/fcinfo*.properties rw, + owner @{HOME}/.java/.userPrefs/ rw, + owner @{HOME}/.java/.userPrefs/** rwk, + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + owner @{HOME}/.emulator_console_auth_token rw, + + deny owner @{HOME}/Desktop/* rw, + + @{PROC}/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/ipv6_route r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pids}/stat r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/partitions r, + @{PROC}/vmstat r, + + @{sys}/fs/cgroup/*/** r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/** rwk, + owner /tmp/native-platform[0-9]*dir/*.so rwm, + + owner /{var,}run/user/[0-9]*/avd/ rw, + owner /{var,}run/user/[0-9]*/avd/running/ rw, + owner /{var,}run/user/[0-9]*/avd/running/pid_@{pid}.ini rw, + + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner /dev/shm/.org.chromium.Chromium.* rw, + + /dev/kvm rw, + + /dev/bus/usb/ r, + /dev/bus/usb/[0-9]*/ r, + /dev/bus/usb/[0-9]*/[0-9]* rw, + + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/serial r, + @{sys}/devices/virtual/block/**/rotational r, + + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + + } + + profile lsb-release { + #include + #include + #include + + signal (receive) set=(term, kill) peer=android-studio, + + /{usr/,}bin/lsb_release r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/apt-cache rPx, + + owner @{PROC}/@{pid}/fd/ r, + + /etc/dpkg/origins/** r, + /etc/debian_version r, + /usr/share/distro-info/*.csv r, + + owner /tmp/android-*/emulator-* w, + owner /tmp/android-*/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/opengl_* w, + + # file_inherit + owner @{HOME}/.android/avd/** r, + /dev/dri/card[0-9]* rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/dash rix, + + # Allowed apps to open + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/vlc rPx, + /{usr/,}bin/mpv rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/ebook-viewer rPx, + /{usr/,}lib/firefox/firefox rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/anki b/apparmor.d/anki new file mode 100644 index 00000000..a94cd581 --- /dev/null +++ b/apparmor.d/anki @@ -0,0 +1,197 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/anki +profile anki @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=anki//mpv, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}sbin/ldconfig rix, + + /{usr/,}bin/ r, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/mpv rCx -> mpv, + # For recording sounds while creating decks + /{usr/,}bin/lame rCx -> lame, + + /{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, + /usr/share/qt5/**/*.pak r, + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{HOME}/ r, + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/qtshadercache/ rw, + owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + + /usr/share/anki/{,**} r, + + /usr/share/javascript/**/*.js r, + + owner @{HOME}/.local/share/Anki{,2}/ rw, + owner @{HOME}/.local/share/Anki{,2}/** rwk, + + # To remove the following error: + # Error initializing NSS with a persistent database + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + # If one is blocked, the others are probed. + deny owner @{HOME}/#[0-9]*[0-9] mrw, + owner @{HOME}/.glvnd* mrw, + # owner /tmp/#[0-9]*[0-9] mrw, + # owner /tmp/.glvnd* mrw, + + # The /proc/ dir is needed to avoid the following error: + # [:FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0) + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + deny owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/task/ r, + deny owner @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + deny owner @{PROC}/@{pid}/cmdline r, + # To remove the following error: + # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied + # (g-file-error-quark, 2) + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny @{PROC}/vmstat r, + deny owner @{PROC}/@{pid}/setgroups w, + + /etc/fstab r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/* rw, + owner /tmp/anki_temp/ rw, + owner /tmp/anki_temp/** rwk, + owner /tmp/mozilla_*/*.apkg r, + + owner /dev/shm/.org.chromium.Chromium.* rw, + /dev/shm/#[0-9]*[0-9] rw, + + @{sys}/devices/pci[0-9]*/**/irq r, + @{sys}/devices/pci[0-9]*/**/{vendor,device} r, + + /usr/share/hwdata/pnp.ids r, + + /etc/mime.types r, + + # SyncThread + /{usr/,}bin/dash rix, + /{usr/,}bin/uname rix, + /etc/ r, + /etc/debian_version r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + + profile mpv { + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=anki, + + /{usr/,}bin/mpv mr, + + /etc/mpv/encoding-profiles.conf r, + + owner /tmp/mpv.* rw, + + # For playing sets' sounds + owner @{HOME}/.local/share/Anki{,2}/*/collection.media/ r, + owner @{HOME}/.local/share/Anki{,2}/*/collection.media/*.{mp3,wav} r, + owner @{HOME}/.local/share/Anki{,2}/pulse/ r, + owner @{HOME}/.local/share/Anki{,2}/pulse/cookie rk, + + owner @{HOME}/.Xauthority r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + } + + profile lame { + #include + + /{usr/,}bin/lame mr, + + owner @{HOME}/.local/share/Anki{,2}/*/collection.media/rec.{mp3,wav} rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/anyremote b/apparmor.d/anyremote new file mode 100644 index 00000000..51c4c97f --- /dev/null +++ b/apparmor.d/anyremote @@ -0,0 +1,168 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/anyremote +profile anyremote @{exec_path} { + #include + #include + #include + #include + + signal (receive) set=(int, term, kill), + signal (send) set=(term, kill), + + @{exec_path} rm, + + /{usr/,}bin/dash rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/which rix, + /{usr/,}bin/head rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/sleep rix, + /{usr/,}bin/find rix, + + /{usr/,}bin/convert-im6.q16 rCx -> imagemagic, + /{usr/,}bin/killall rCx -> killall, + /{usr/,}bin/pgrep rCx -> pgrep, + /{usr/,}lib/qt5/bin/qdbus rCx -> qdbus, + /{usr/,}bin/curl rCx -> curl, + + /{usr/,}bin/pacmd rPx, + /{usr/,}bin/pactl rPx, + /{usr/,}bin/wmctrl rPx, + /{usr/,}bin/qtchooser rPx, + /{usr/,}bin/ps rPx, + + # Players + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/amarok rPx, + /{usr/,}bin/vlc rPx, + /{usr/,}bin/mpv rPx, + /{usr/,}bin/strawberry rPx, + + owner /tmp/amarok_covers/ rw, + owner /tmp/*.png rw, + + owner @{HOME}/.anyRemote/{,**} rw, + owner @{HOME}/.anyRemote/imdb-mf.sh rix, + + /usr/share/anyremote/{,**} r, + /usr/share/anyremote/cfg-data/Utils/*.sh rix, + + # Video dirs + / r, + /media/ r, + /media/Zami/ r, + owner /media/Zami/Film/ r, + owner /media/Zami/Film/** r, + + deny @{PROC}/sys/kernel/osrelease r, + + owner @{HOME}/.Xauthority r, + + + profile imagemagic { + #include + + /{usr/,}bin/convert-im6.q16 mr, + + /usr/share/ImageMagick-[0-9]/*.xml rw, + /etc/ImageMagick-[0-9]/*.xml r, + + /usr/share/anyremote/cfg-data/Icons/common/*.png r, + owner @{HOME}/.anyRemote/*.png rw, + + owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, + + /tmp/ r, + owner /tmp/*.png rw, + owner /tmp/amarok_covers/* rw, + owner /tmp/magick-* rw, + + } + + profile killall { + #include + #include + + capability sys_ptrace, + + signal (send) set=(term, kill), + + ptrace (read), + + /{usr/,}bin/killall mr, + + # The /proc/ dir is needed to avoid the following error: + # /proc: Permission denied + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + + # file_inherit + owner @{HOME}/.anyRemote/anyremote.stdout w, + + } + + profile pgrep { + #include + #include + + signal (send) set=(term, kill), + + /{usr/,}bin/pgrep mr, + + # The /proc/ dir and the cmdline have to be radable to avoid pgrep segfault. + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + deny @{PROC}/sys/kernel/osrelease r, + + # file_inherit + owner @{HOME}/.anyRemote/anyremote.stdout w, + + } + + profile curl { + #include + #include + #include + #include + + /{usr/,}bin/curl mr, + + } + + profile qdbus { + #include + + /{usr/,}lib/qt5/bin/qdbus mr, + + } + + #include if exists +} diff --git a/apparmor.d/apache2.d/phpsysinfo b/apparmor.d/apache2.d/phpsysinfo new file mode 100644 index 00000000..af730910 --- /dev/null +++ b/apparmor.d/apache2.d/phpsysinfo @@ -0,0 +1,48 @@ +# Last Modified: Fri Sep 11 13:27:22 2009 +# Author: Marc Deslauriers + + ^phpsysinfo { + #include + #include + #include + #include + #include + + /{,usr/}bin/dash ixr, + /{,usr/}bin/df ixr, + /{,usr/}bin/mount ixr, + /{,usr/}bin/uname ixr, + /dev/bus/usb/ r, + /dev/bus/usb/** r, + /etc/debian_version r, + /etc/lsb-release r, + /etc/mtab r, + /etc/phpsysinfo/config.php r, + /etc/udev/udev.conf r, + @{PROC}/** r, + @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/** r, + @{sys}/bus/usb/devices/ r, + @{sys}/class/ r, + @{sys}/devices/** r, + /usr/bin/ r, + /usr/bin/apt-cache ixr, + /usr/bin/dpkg-query ixr, + /usr/bin/lsb_release ixr, + /usr/bin/lspci ixr, + /usr/bin/who ixr, + /usr/{,s}bin/lsusb ixr, + /usr/share/phpsysinfo/** r, + /var/lib/dpkg/arch r, + /var/lib/dpkg/available r, + /var/lib/dpkg/status r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + /var/lib/{misc,usbutils}/usb.ids r, + /var/log/apache2/access.log w, + /var/log/apache2/error.log w, + /{,var/}run/utmp rk, + /usr/share/misc/pci.ids r, + } diff --git a/apparmor.d/aplay b/apparmor.d/aplay new file mode 100644 index 00000000..c9122416 --- /dev/null +++ b/apparmor.d/aplay @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/aplay +profile aplay @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} mr, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{HOME}/.Xauthority r, + + owner @{HOME}/.config/pulse/ r, + + #include if exists +} diff --git a/apparmor.d/appstreamcli b/apparmor.d/appstreamcli new file mode 100644 index 00000000..b28dfdf7 --- /dev/null +++ b/apparmor.d/appstreamcli @@ -0,0 +1,66 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/appstreamcli +profile appstreamcli @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} mr, + + # For file valudation using the network + /{usr/,}bin/curl rCx -> curl, + + /etc/appstream.conf r, + + owner @{PROC}/@{pid}/fd/ r, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/appstream-cache-*.mdb rw, + + /usr/share/appdata/ r, + /var/lib/app-info/yaml/ r, + /var/lib/app-info/yaml/*_Components-*.yml.gz w, + + owner /var/cache/app-info/{,**} rw, + owner /tmp/appstream-cache-*.mdb rw, + + owner @{HOME}/.local/share/mime/mime.cache r, + /usr/share/mime/mime.cache r, + + /usr/share/applications/{,*.desktop} r, + + /usr/share/metainfo/ r, + /usr/share/metainfo/*.{metainfo,appdata}.xml r, + + /var/lib/apt/lists/ r, + /var/lib/apt/lists/*_Components-*.gz r, + + # file_inherit + /var/log/cron-apt/temp w, + + + profile curl { + #include + #include + #include + #include + + /{usr/,}bin/curl mr, + + } + + #include if exists +} diff --git a/apparmor.d/apt b/apparmor.d/apt new file mode 100644 index 00000000..a8232d65 --- /dev/null +++ b/apparmor.d/apt @@ -0,0 +1,177 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/apt +profile apt @{exec_path} flags=(complain) { + #include + #include + #include + #include + #include + + # To remove the following errors: + # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed - + # Item::QueueURI (1: Operation not permitted) + capability fowner, + + # To remove the following errors: + # W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + capability chown, + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + # + # To remove the following errors: + # E: setgroups 65534 failed - setgroups (1: Operation not permitted) + # E: setegid 65534 failed - setegid (1: Operation not permitted) + # E: seteuid 100 failed - seteuid (1: Operation not permitted) + # E: setgroups 0 failed - setgroups (1: Operation not permitted) + capability setuid, + capability setgid, + + # To remove the following errors: + # W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease - + # PrepareFiles (13: Permission denied) + # E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied) + capability dac_read_search, + + # To remove the following errors: + # E: Failed to fetch https://**.deb rename failed, Permission denied + # (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb). + # E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? + capability dac_override, + + # Needed? (##FIXME##) + capability kill, + capability fsetid, + + signal (send) peer=apt-methods-*, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, + + /{usr/,}bin/ps rPx, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/apt-listbugs rPx, + /{usr/,}bin/apt-listchanges rPx, + /{usr/,}bin/apt-show-versions rPx, + /{usr/,}sbin/dpkg-preconfigure rPx, + /{usr/,}bin/debtags rPx, + /{usr/,}sbin/localepurge rPx, + /{usr/,}bin/appstreamcli rPx, + /{usr/,}bin/adequate rPx, + /{usr/,}sbin/update-command-not-found rPx, + /usr/share/command-not-found/cnf-update-db rPx, + /{usr/,}bin/dpkg-source rcx -> dpkg-source, + + # Methods to use to download packages from the net + /{usr/,}lib/apt/methods/* rPx, + + /var/lib/apt/lists/** rw, + /var/lib/apt/lists/lock rwk, + /var/lib/apt/extended_states{,.*} rw, + + /var/log/apt/eipp.log.xz w, + /var/log/apt/{term,history}.log w, + + # For editing the sources.list file + /etc/apt/sources.list rwk, + /{usr/,}bin/sensible-editor rCx -> editor, + /{usr/,}bin/vim.* rCx -> editor, + + /var/lib/dpkg/** r, + /var/lib/dpkg/lock{,-frontend} rwk, + + owner @{PROC}/@{pid}/fd/ r, + + owner /tmp/apt.conf.* rw, + owner /tmp/apt.data.* rw, + owner /tmp/apt-dpkg-install-*/ rw, + owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + + profile editor flags=(complain) { + #include + #include + + /{usr/,}bin/sensible-editor mr, + /{usr/,}bin/vim.* mrix, + /{usr/,}bin/dash rix, + /{usr/,}bin/which rix, + + owner @{HOME}/.selected_editor r, + + /usr/share/vim/{,**} r, + /etc/vim/{,**} r, + owner @{HOME}/.viminfo{,.tmp} rw, + + owner @{HOME}/.fzf/plugin/ r, + owner @{HOME}/.fzf/plugin/fzf.vim r, + + /etc/apt/sources.list rw, + + } + + profile dpkg-source flags=(complain) { + #include + #include + #include + + /{usr/,}bin/dpkg-source mr, + /{usr/,}bin/perl r, + + /{usr/,}bin/tar rix, + /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/chmod rix, + + /{usr/,}bin/patch rix, + + /etc/dpkg/origins/debian r, + + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + owner @{HOME}/** rwkl -> @{HOME}/**, + audit deny owner @{HOME}/.* mrwkl, + audit deny owner @{HOME}/.*/ rw, + audit deny owner @{HOME}/.*/** mrwkl, + + } + + #include if exists +} + diff --git a/apparmor.d/apt-cache b/apparmor.d/apt-cache new file mode 100644 index 00000000..e95e9191 --- /dev/null +++ b/apparmor.d/apt-cache @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-cache +profile apt-cache @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /var/lib/dpkg/** r, + /var/lib/dpkg/lock{,-frontend} rwk, + + owner @{PROC}/@{pid}/fd/ r, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + #include if exists +} diff --git a/apparmor.d/apt-cdrom b/apparmor.d/apt-cdrom new file mode 100644 index 00000000..f9ec2bf6 --- /dev/null +++ b/apparmor.d/apt-cdrom @@ -0,0 +1,94 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-cdrom +profile apt-cdrom @{exec_path} flags=(complain) { + #include + #include + #include + + capability dac_read_search, + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /{usr/,}bin/mount rCx -> mount, + /{usr/,}bin/umount rCx -> umount, + + # Are all of these needed? (#FIXME#) + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + /{var/,}run/udev/data/* r, + + /etc/fstab r, + + # For cd-roms + /media/cdrom[0-9]/ r, + /media/cdrom[0-9]/**/ r, + /media/cdrom[0-9]/.disk/info r, + /media/cdrom[0-9]/dists/**/binary-*/Packages{,.gz} r, + /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, + + # For pendrives + /media/*/*/ r, + /media/*/*/**/ r, + /media/*/*/.disk/info r, + /media/*/*/dists/**/binary-*/Packages{,.gz} r, + /media/*/*/dists/**/i18n/Translation-en{,.gz} r, + + /var/lib/apt/lists/** rw, + + owner @{PROC}/@{pid}/fd/ r, + + /var/lib/apt/cdroms.list{,.new} rw, + /var/lib/apt/cdroms.list~ w, + + /etc/apt/sources.list{,.new} rw, + /etc/apt/sources.list~ w, + + profile mount flags=(complain) { + #include + + /{usr/,}bin/mount mr, + + /etc/fstab r, + + /media/cdrom[0-9]/ r, + + } + + profile umount flags=(complain) { + #include + + capability sys_admin, + + /{usr/,}bin/umount mr, + + /{var/,}run/mount/utab{,.*} rw, + /{var/,}run/mount/utab.lock rwk, + + owner @{PROC}/@{pid}/mountinfo r, + + umount /media/*/, + umount /media/*/*/, + + } + + #include if exists +} diff --git a/apparmor.d/apt-config b/apparmor.d/apt-config new file mode 100644 index 00000000..c2137418 --- /dev/null +++ b/apparmor.d/apt-config @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-config +profile apt-config @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + owner @{PROC}/@{pid}/fd/ r, + + #include if exists +} diff --git a/apparmor.d/apt-extracttemplates b/apparmor.d/apt-extracttemplates new file mode 100644 index 00000000..389c53ab --- /dev/null +++ b/apparmor.d/apt-extracttemplates @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/apt-extracttemplates +profile apt-extracttemplates @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + owner @{PROC}/@{pid}/fd/ r, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + owner /tmp/*.{config,template}.?????? rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + #include if exists +} diff --git a/apparmor.d/apt-file b/apparmor.d/apt-file new file mode 100644 index 00000000..1387b718 --- /dev/null +++ b/apparmor.d/apt-file @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-file +profile apt-file @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/fgrep rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/xargs rix, + /{usr/,}lib/apt/apt-helper rix, + + /{usr/,}bin/apt-get rPx, + /{usr/,}bin/apt rPx, + + /etc/apt/apt-file.conf r, + + owner @{PROC}/@{pid}/fd/ r, + + # file_inherit + /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/apt-ftparchive b/apparmor.d/apt-ftparchive new file mode 100644 index 00000000..d53e7627 --- /dev/null +++ b/apparmor.d/apt-ftparchive @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/apt-ftparchive +profile apt-ftparchive @{exec_path} { + #include + + @{exec_path} mr, + + /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + #include if exists +} diff --git a/apparmor.d/apt-get b/apparmor.d/apt-get new file mode 100644 index 00000000..fa8e50ab --- /dev/null +++ b/apparmor.d/apt-get @@ -0,0 +1,178 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/apt-get +profile apt-get @{exec_path} flags=(complain) { + #include + #include + #include + #include + + # To remove the following errors: + # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed - + # Item::QueueURI (1: Operation not permitted) + capability fowner, + + # To remove the following errors: + # W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + capability chown, + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + # + # To remove the following errors: + # E: setgroups 65534 failed - setgroups (1: Operation not permitted) + # E: setegid 65534 failed - setegid (1: Operation not permitted) + # E: seteuid 100 failed - seteuid (1: Operation not permitted) + # E: setgroups 0 failed - setgroups (1: Operation not permitted) + capability setuid, + capability setgid, + + # To remove the following errors: + # W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease - + # PrepareFiles (13: Permission denied) + # E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied) + capability dac_read_search, + + # To remove the following errors: + # E: Failed to fetch https://**.deb rename failed, Permission denied + # (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb). + # E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? + capability dac_override, + + # Needed? (##FIXME##) + capability kill, + capability fsetid, + + signal (send) peer=apt-methods-*, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, + + /{usr/,}bin/ps rPx, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/apt-listbugs rPx, + /{usr/,}bin/apt-listchanges rPx, + /{usr/,}bin/apt-show-versions rPx, + /{usr/,}sbin/dpkg-preconfigure rPx, + /{usr/,}bin/debtags rPx, + /{usr/,}sbin/localepurge rPx, + /{usr/,}bin/appstreamcli rPx, + /{usr/,}bin/adequate rPx, + /{usr/,}sbin/update-command-not-found rPx, + /usr/share/command-not-found/cnf-update-db rPx, + /{usr/,}bin/dpkg-source rcx -> dpkg-source, + + # Methods to use to download packages from the net + /{usr/,}lib/apt/methods/* rPx, + + /var/lib/apt/lists/** rw, + /var/lib/apt/lists/lock rwk, + /var/lib/apt/extended_states{,.*} rw, + + /var/log/apt/eipp.log.xz w, + /var/log/apt/{term,history}.log w, + + # For building the source after the download process is finished (apt-get source --compile) + # (#FIXME#) + /{usr/,}bin/dpkg-buildpackage rPUx, + + # For changelogs + /tmp/apt-changelog-*/ w, + owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, + /tmp/apt-changelog-*/*.changelog w, + /{usr/,}bin/sensible-pager rCx -> pager, + + /var/lib/dpkg/** r, + /var/lib/dpkg/lock{,-frontend} rwk, + + owner @{PROC}/@{pid}/fd/ r, + + owner /tmp/apt-tmp-index.* rw, + owner /tmp/apt-dpkg-install-*/ rw, + owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /var/log/cron-apt/temp w, + + + profile pager flags=(complain) { + #include + #include + + capability dac_read_search, + + /{usr/,}bin/sensible-pager mr, + /{usr/,}bin/dash r, + + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, + + owner @{HOME}/.less* rw, + + owner /tmp/apt-changelog-*/*.changelog r, + + } + + profile dpkg-source flags=(complain) { + #include + #include + #include + + /{usr/,}bin/dpkg-source mr, + /{usr/,}bin/perl r, + + /{usr/,}bin/tar rix, + /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/chmod rix, + + /{usr/,}bin/patch rix, + + /etc/dpkg/origins/debian r, + + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + owner @{HOME}/** rwkl -> @{HOME}/**, + audit deny owner @{HOME}/.* mrwkl, + audit deny owner @{HOME}/.*/ rw, + audit deny owner @{HOME}/.*/** mrwkl, + + } + + #include if exists +} diff --git a/apparmor.d/apt-key b/apparmor.d/apt-key new file mode 100644 index 00000000..4593d27d --- /dev/null +++ b/apparmor.d/apt-key @@ -0,0 +1,96 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-key +profile apt-key @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/find rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/comm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/id rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/uniq rix, + /{usr/,}bin/wc rix, + + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/apt-config rPx, + + / r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*.gpg} r, + + owner /tmp/apt-key-gpghome.*/{,**} rw, + + + profile gpg { + #include + #include + #include + + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgconf mr, + + /{usr/,}bin/dirmngr rix, + /{usr/,}bin/gpg-agent rix, + /{usr/,}bin/gpg-connect-agent rix, + + /etc/apt/.#lk0x[a-f0-9]*.@{pid} rw, + /etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid}, + /etc/apt/trusted.gpg{,~,.tmp} rw, + /etc/apt/trusted.gpg.lock rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid}, + + /etc/apt/trusted.gpg.d/ r, + /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid} rw, + /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}, + /etc/apt/trusted.gpg.d/*.gpg r, + /etc/apt/trusted.gpg.d/*.gpg.lock rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}, + + owner /tmp/apt-key-gpghome.*/ rw, + owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /usr/share/gnupg/sks-keyservers.netCA.pem r, + + /etc/hosts r, + /etc/inputrc r, + + # File_inherit + owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, + + } + + #include if exists +} diff --git a/apparmor.d/apt-listbugs b/apparmor.d/apt-listbugs new file mode 100644 index 00000000..a213da15 --- /dev/null +++ b/apparmor.d/apt-listbugs @@ -0,0 +1,56 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-listbugs +profile apt-listbugs @{exec_path} { + #include + #include + #include + #include + #include + + #capability sys_tty_config, + + @{exec_path} r, + /{usr/,}bin/ruby2.[0-9]* rix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/logname rix, + + /{usr/,}bin/apt-config rPx, + /{usr/,}bin/dpkg-query rPx, + + /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, + + /usr/share/rubygems-integration/*/specifications/ r, + /usr/share/rubygems-integration/*/specifications/* r, + + /etc/apt/listbugs/{,*} r, + + @{PROC}/@{pid}/loginuid r, + + # The following is needed when apt-listbugs uses debcconf GUI frontends. + #include + #include + #include + #include + capability dac_read_search, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/hostname rPx, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + #include if exists +} diff --git a/apparmor.d/apt-listbugs-aptcleanup b/apparmor.d/apt-listbugs-aptcleanup new file mode 100644 index 00000000..af1d7451 --- /dev/null +++ b/apparmor.d/apt-listbugs-aptcleanup @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup +profile apt-listbugs-aptcleanup @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/ruby2.[0-9]* rix, + + #include if exists +} diff --git a/apparmor.d/apt-listbugs-migratepins b/apparmor.d/apt-listbugs-migratepins new file mode 100644 index 00000000..f881177a --- /dev/null +++ b/apparmor.d/apt-listbugs-migratepins @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/libexec/apt-listbugs/migratepins +profile apt-listbugs-migratepins @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/ruby2.[0-9]* rix, + + /usr/share/rubygems-integration/*/specifications/ r, + /usr/share/rubygems-integration/*/specifications/* r, + + /etc/apt/preferences r, + + owner /tmp/pin_migration_*-@{pid}-*/ w, + owner /tmp/pin_migration_*-@{pid}-*/preferences w, + owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w, + + #include if exists +} diff --git a/apparmor.d/apt-listbugs-prefclean b/apparmor.d/apt-listbugs-prefclean new file mode 100644 index 00000000..da7188cf --- /dev/null +++ b/apparmor.d/apt-listbugs-prefclean @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/libexec/apt-listbugs/prefclean +profile apt-listbugs-prefclean @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/ruby2.[0-9]* rix, + + /{usr/,}bin/date rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + + owner /var/spool/apt-listbugs/lastprefclean rw, + + #include if exists +} diff --git a/apparmor.d/apt-listchanges b/apparmor.d/apt-listchanges new file mode 100644 index 00000000..c9b1dce2 --- /dev/null +++ b/apparmor.d/apt-listchanges @@ -0,0 +1,93 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-listchanges +profile apt-listchanges @{exec_path} { + #include + #include + #include + #include + + #capability sys_tty_config, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + /{usr/,}bin/tar rix, + + /{usr/,}bin/hostname rPx, + /{usr/,}bin/dpkg-deb rPx, + /{usr/,}bin/sensible-pager rCx -> pager, + # Send results using email + /{usr/,}sbin/exim4 rPx, + + /usr/share/apt-listchanges/{,**} r, + + /etc/apt/listchanges.conf r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/dpkg/status r, + + /var/lib/apt/listchanges{,-new}.db rw, + /var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db, + + owner @{PROC}/@{pid}/fd/ r, + + owner /tmp/* rw, + owner /tmp/apt-listchanges*/ rw, + owner /tmp/apt-listchanges*/**/ rw, + owner /tmp/apt-listchanges*/*/*/*/*/changelog.gz rw, + owner /tmp/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, + owner /tmp/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, + owner /tmp/apt-listchanges*/*/*/*/*/*/changelog.gz rw, + owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, + owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, + + # The following is needed when apt-listchanges uses debcconf GUI frontends. + #include + #include + #include + #include + capability dac_read_search, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/hostname rPx, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + + profile pager { + #include + #include + + #capability sys_tty_config, + + /{usr/,}bin/sensible-pager mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, + + owner @{HOME}/.less* rw, + + owner /tmp/apt-listchanges-tmp*.txt r, + + } + + #include if exists +} diff --git a/apparmor.d/apt-mark b/apparmor.d/apt-mark new file mode 100644 index 00000000..933c16da --- /dev/null +++ b/apparmor.d/apt-mark @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-mark +profile apt-mark @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + + /var/lib/apt/extended_states{,.*} rw, + + owner @{PROC}/@{pid}/fd/ r, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + #include if exists +} diff --git a/apparmor.d/apt-methods-cdrom b/apparmor.d/apt-methods-cdrom new file mode 100644 index 00000000..298312f2 --- /dev/null +++ b/apparmor.d/apt-methods-cdrom @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/cdrom +profile apt-methods-cdrom @{exec_path} { + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/apt-methods-copy b/apparmor.d/apt-methods-copy new file mode 100644 index 00000000..b2a83ebe --- /dev/null +++ b/apparmor.d/apt-methods-copy @@ -0,0 +1,59 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/copy +profile apt-methods-copy @{exec_path} { + #include + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + # apt-helper gets "no new privs" so "rix" it + /{usr/,}lib/apt/apt-helper rix, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/apt-methods-file b/apparmor.d/apt-methods-file new file mode 100644 index 00000000..6f3289e9 --- /dev/null +++ b/apparmor.d/apt-methods-file @@ -0,0 +1,59 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/file +profile apt-methods-file @{exec_path} { + #include + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + # apt-helper gets "no new privs" so "rix" it + /{usr/,}lib/apt/apt-helper rix, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/apt-methods-ftp b/apparmor.d/apt-methods-ftp new file mode 100644 index 00000000..1373a526 --- /dev/null +++ b/apparmor.d/apt-methods-ftp @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/ftp +profile apt-methods-ftp @{exec_path} { + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/apt-methods-gpgv b/apparmor.d/apt-methods-gpgv new file mode 100644 index 00000000..f3eb1459 --- /dev/null +++ b/apparmor.d/apt-methods-gpgv @@ -0,0 +1,92 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/gpgv +profile apt-methods-gpgv @{exec_path} { + #include + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + # The following get "no new privs" so "rix" them + /{usr/,}bin/apt-key rix, + /{usr/,}bin/apt-config rix, + /{usr/,}bin/dpkg rix, + /{usr/,}bin/gpg-connect-agent rix, + /{usr/,}bin/gpgconf rix, + /{usr/,}bin/find rix, + /{usr/,}bin/gpgv rix, + + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/touch rix, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /etc/apt/trusted.gpg.d/{,*.gpg} r, + /etc/apt/trusted.gpg r, + + owner /tmp/apt-key-gpghome.*/ rw, + owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner /tmp/apt.{conf,sig,data}.* rw, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/dpkg/arch r, + + @{PROC}/@{pid}/fd/ r, + + / r, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/apt-methods-http b/apparmor.d/apt-methods-http new file mode 100644 index 00000000..abc83108 --- /dev/null +++ b/apparmor.d/apt-methods-http @@ -0,0 +1,73 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/http{,s} +profile apt-methods-http @{exec_path} { + #include + #include + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + # apt-helper gets "no new privs" so "rix" it + /{usr/,}lib/apt/apt-helper rix, + + /etc/apt/auth.conf.d/{,*} r, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + # For the aptitude interactive mode + owner /tmp/aptitude-root.*/aptitude-download-* rw, + + owner /tmp/apt-changelog-*/*.changelog rw, + + @{PROC}/1/cgroup r, + @{PROC}/@{pid}/cgroup r, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/apt-methods-mirror b/apparmor.d/apt-methods-mirror new file mode 100644 index 00000000..aadb324f --- /dev/null +++ b/apparmor.d/apt-methods-mirror @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*} +profile apt-methods-mirror @{exec_path} { + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/apt-methods-rred b/apparmor.d/apt-methods-rred new file mode 100644 index 00000000..5c99528a --- /dev/null +++ b/apparmor.d/apt-methods-rred @@ -0,0 +1,59 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/rred +profile apt-methods-rred @{exec_path} { + #include + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + # apt-helper gets "no new privs" so "rix" it + /{usr/,}lib/apt/apt-helper rix, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/apt-methods-rsh b/apparmor.d/apt-methods-rsh new file mode 100644 index 00000000..2ce2e1e3 --- /dev/null +++ b/apparmor.d/apt-methods-rsh @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh +profile apt-methods-rsh @{exec_path} { + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/apt-methods-store b/apparmor.d/apt-methods-store new file mode 100644 index 00000000..5841d342 --- /dev/null +++ b/apparmor.d/apt-methods-store @@ -0,0 +1,63 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}lib/apt/methods/store +profile apt-methods-store @{exec_path} { + #include + #include + #include + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + capability setgid, + capability setuid, + + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + + @{exec_path} mr, + + # apt-helper gets "no new privs" so "rix" it + /{usr/,}lib/apt/apt-helper rix, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/apt/lists/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, + + /usr/share/doc/*/changelog.* r, + + owner /tmp/apt-changelog-*/*.changelog{,.*} rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/apt-show-versions b/apparmor.d/apt-show-versions new file mode 100644 index 00000000..b1b49638 --- /dev/null +++ b/apparmor.d/apt-show-versions @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-show-versions +profile apt-show-versions @{exec_path} { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /usr/bin/dpkg rPx -> child-dpkg, + + owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw, + owner /var/cache/apt-show-versions/files rw, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + owner @{PROC}/@{pid}/fd/ r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/apt-sortpkgs b/apparmor.d/apt-sortpkgs new file mode 100644 index 00000000..8d0e48cd --- /dev/null +++ b/apparmor.d/apt-sortpkgs @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/apt-sortpkgs +profile apt-sortpkgs @{exec_path} { + #include + + @{exec_path} mr, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + #include if exists +} diff --git a/apparmor.d/aptitude b/apparmor.d/aptitude new file mode 100644 index 00000000..60a3e772 --- /dev/null +++ b/apparmor.d/aptitude @@ -0,0 +1,189 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/aptitude{,-curses} +profile aptitude @{exec_path} flags=(complain) { + #include + #include + #include + #include + + # To remove the following errors: + # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed - + # Item::QueueURI (1: Operation not permitted) + capability fowner, + + # To remove the following errors: + # W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + capability chown, + + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the + # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is + # used by APT to download packages, package list, and other things using APT methods as an + # unprivileged user/group (_apt/nogroup). + # + # To remove the following errors: + # E: setgroups 65534 failed - setgroups (1: Operation not permitted) + # E: setegid 65534 failed - setegid (1: Operation not permitted) + # E: seteuid 100 failed - seteuid (1: Operation not permitted) + # E: setgroups 0 failed - setgroups (1: Operation not permitted) + capability setuid, + capability setgid, + + # To remove the following errors: + # W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease - + # PrepareFiles (13: Permission denied) + # E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied) + capability dac_read_search, + + # To remove the following errors: + # E: Failed to fetch https://**.deb rename failed, Permission denied + # (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb). + # E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? + capability dac_override, + + # Needed? (##FIXME##) + capability kill, + capability fsetid, + capability sys_chroot, + #capability sys_tty_config, + + signal (send) peer=apt-methods-*, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, + + /{usr/,}bin/ps rPx, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/apt-listbugs rPx, + /{usr/,}bin/apt-listchanges rPx, + /{usr/,}bin/apt-show-versions rPx, + /{usr/,}sbin/dpkg-preconfigure rPx, + /{usr/,}bin/debtags rPx, + /{usr/,}sbin/localepurge rPx, + /{usr/,}bin/appstreamcli rPx, + /{usr/,}bin/adequate rPx, + /{usr/,}sbin/update-command-not-found rPx, + /usr/share/command-not-found/cnf-update-db rPx, + + # Methods to use to download packages from the net + /{usr/,}lib/apt/methods/* rPx, + + /var/lib/apt/lists/** rw, + /var/lib/apt/lists/lock rwk, + /var/lib/apt/extended_states{,.*} rw, + + /var/log/apt/eipp.log.xz w, + /var/log/apt/{term,history}.log w, + /var/log/aptitude w, + + # For downloading the source of packages (showsrc/source options) + /{usr/,}bin/apt rPx, + + # For changelogs + owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, + owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, + owner /tmp/aptitude-*.@{pid}:*/parsedchangelog* w, + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/aptitude/ rw, + owner @{HOME}/.cache/aptitude/metadata-download{,-journal} rw, + owner @{HOME}/.cache/aptitude/metadata-download rwk, + /{usr/,}bin/sensible-pager rCx -> pager, + + # For aptitude-run-state-bundle + owner /tmp/aptitudebug.*/ r, + owner /tmp/aptitudebug.*/** rwk, + + /var/lib/apt-xapian-index/index r, + /var/cache/apt-xapian-index/index.[0-9]/*.glass r, + /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + + /var/lib/dpkg/** r, + /var/lib/dpkg/lock{,-frontend} rwk, + + owner @{PROC}/@{pid}/fd/ r, + + owner /tmp/aptitude-*.@{pid}:*/ rw, + owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw, + /tmp/aptitude-*.@{pid}:*/pkgstates* r, + owner /tmp/apt-dpkg-install-*/ rw, + owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + # For the interactive mode + /usr/share/tasksel/descs/ r, + /usr/share/tasksel/descs/debian-tasks.desc r, + owner @{HOME}/.aptitude/ rw, + owner @{HOME}/.aptitude/config rw, + owner @{HOME}/.aptitude/config@{pid} rw, + /tmp/apt-changelog-*/ rw, + /var/lib/debtags/vocabulary r, + /{usr/,}bin/su rPx, + + /{var/,}run/lock/aptitude rwk, + /usr/share/aptitude/ r, + /usr/share/aptitude/* r, + /var/lib/aptitude/pkgstates{,.old,.new} rw, + /var/lib/aptitude/pkgstates.old rwl -> /var/lib/aptitude/pkgstates, + + /var/lib/debtags/package-tags r, + + # When run in a TTY, to remove the following error: + # aptitude[]: *** err + # aptitude[]: /dev/tty2: Permission denied + # aptitude[]: *** err + # aptitude[]: Oh, oh, it's an error! possibly I die! + /dev/tty[0-9]* rw, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + /var/log/cron-apt/temp w, + + + profile pager flags=(complain) { + #include + #include + + /{usr/,}bin/sensible-pager mr, + /{usr/,}bin/dash r, + + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, + + owner @{HOME}/.less* rw, + + owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, + + } + + #include if exists +} + diff --git a/apparmor.d/aptitude-changelog-parser b/apparmor.d/aptitude-changelog-parser new file mode 100644 index 00000000..3898e271 --- /dev/null +++ b/apparmor.d/aptitude-changelog-parser @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/aptitude-changelog-parser +profile aptitude-changelog-parser @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /etc/dpkg/origins/debian r, + + /**/debian/changelog r, + + #include if exists +} diff --git a/apparmor.d/aptitude-create-state-bundle b/apparmor.d/aptitude-create-state-bundle new file mode 100644 index 00000000..63bafae7 --- /dev/null +++ b/apparmor.d/aptitude-create-state-bundle @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/aptitude-create-state-bundle +profile aptitude-create-state-bundle @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + + /{usr/,}bin/which rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/gzip rix, + + # Files included in the bundle + owner @{HOME}/.aptitude/{,*} r, + /var/lib/aptitude/{,*} r, + /var/lib/apt/{,**} r, + /var/cache/apt/ r, + /var/cache/apt/*.bin r, + /etc/apt/{,**} r, + /var/lib/dpkg/status r, + + #include if exists +} diff --git a/apparmor.d/aptitude-run-state-bundle b/apparmor.d/aptitude-run-state-bundle new file mode 100644 index 00000000..be610bc0 --- /dev/null +++ b/apparmor.d/aptitude-run-state-bundle @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/aptitude-run-state-bundle +profile aptitude-run-state-bundle @{exec_path} { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + + /{usr/,}bin/aptitude-curses rPx, + + owner /tmp/aptitudebug.*/{,**} rw, + + #include if exists +} diff --git a/apparmor.d/arandr b/apparmor.d/arandr new file mode 100644 index 00000000..33583192 --- /dev/null +++ b/apparmor.d/arandr @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/arandr +profile arandr @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/xrandr rPx, + + owner @{HOME}/.screenlayout/ rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/at-spi-bus-launcher b/apparmor.d/at-spi-bus-launcher new file mode 100644 index 00000000..48356706 --- /dev/null +++ b/apparmor.d/at-spi-bus-launcher @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher /usr/libexec/at-spi-bus-launcher +profile at-spi-bus-launcher @{exec_path} { + #include + #include + #include + #include + + # Needed? + deny capability sys_nice, + + signal (send) set=(term, kill) peer=dbus-daemon, + + @{exec_path} mr, + + /{usr/,}bin/dbus-daemon rPUx, + + owner @{PROC}/@{pid}/fd/ r, + + owner @{HOME}/.Xauthority r, + /var/lib/lightdm/.Xauthority r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + /var/log/lightdm/seat[0-9]*-greeter.log w, + + #include if exists +} diff --git a/apparmor.d/at-spi2-registryd b/apparmor.d/at-spi2-registryd new file mode 100644 index 00000000..0cd86bfc --- /dev/null +++ b/apparmor.d/at-spi2-registryd @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd /usr/libexec/at-spi2-registryd +profile at-spi2-registryd @{exec_path} { + #include + #include + #include + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + /var/lib/lightdm/.Xauthority r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/atftpd b/apparmor.d/atftpd new file mode 100644 index 00000000..bbeec524 --- /dev/null +++ b/apparmor.d/atftpd @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/atftpd +profile atftpd @{exec_path} { + #include + #include + + # to run atftpd daemon as nobody/nogroup + capability setgid, + capability setuid, + + @{exec_path} mr, + + # FTP dirs (add "w" if you need write permissions and hence upload files) + /tftpboot/{,**} r, + /srv/tftp/{,**} r, + + # for libwrap (TCP Wrapper) support + /etc/hosts.{,allow,deny} r, + + #include if exists +} diff --git a/apparmor.d/atom b/apparmor.d/atom new file mode 100644 index 00000000..9604415c --- /dev/null +++ b/apparmor.d/atom @@ -0,0 +1,206 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom +profile atom @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + # The following doesn't seem to be needed + ##include + ##include + ##include + ##include + #include + ##include + ##include + #include + #include + + ptrace (read) peer=child-lsb_release, + ptrace (read) peer=xdg-settings, + + @{exec_path} mrix, + + /usr/share/atom/** r, + /usr/share/atom/libffmpeg.so mr, + /usr/share/atom/libnode.so mr, + /usr/share/atom/resources/**/bin/* rix, + /usr/share/atom/resources/**.node mr, + /usr/share/atom/resources/**/libexec/** rix, + + deny /{usr/,}local/bin/ r, + deny /{usr/,}bin/ r, + #/{usr/,}bin/bash rix, + #/{usr/,}bin/zsh rix, + #/{usr/,}bin/env rix, + #/{usr/,}bin/rmdir rix, + #/{usr/,}bin/{,e}grep rix, + #/{usr/,}bin/ls rix, + #/{usr/,}bin/gawk rix, + #/{usr/,}bin/tty rix, + #/{usr/,}bin/dircolors rix, + #/{usr/,}bin/cut rix, + #/{usr/,}bin/xwininfo rix, + #/{usr/,}bin/date rix, + # The expr and uname tools are needed or Atom won't start with the following error: + # Your platform () is not supported. + /{usr/,}bin/expr rix, + /{usr/,}bin/uname rix, + # The following also are needed to start Atom + /{usr/,}bin/basename rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/nohup rix, + /{usr/,}bin/cat rix, + # The dash shell is needed to install packages. If you don't want to install any, coment the + # following line out. + #/{usr/,}bin/dash rix, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-open rCx -> open, + + /{usr/,}bin/xdg-settings rPUx, + + /{usr/,}bin/git rPUx, + + # Needed to sign commits + /{usr/,}bin/gpg rCx -> gpg, + + # /home/ r, + # Reading of the user home dir is required or the following error will be printed: + # Unexpected end of JSON input: + #owner @{HOME}/ r, + owner @{HOME}/.atom/ rw, + owner @{HOME}/.atom/** rwkl -> @{HOME}/.atom/**, + owner @{HOME}/.config/Atom/ rw, + owner @{HOME}/.config/Atom/** rwkl -> @{HOME}/.config/Atom/**, + + # Git dirs + / r, + /media/ r, + owner /media/*/ r, + owner /media/*/atom/ r, + owner /media/*/atom/** rwkl -> /media/*/atom/**, + + owner @{HOME}/.config/git/config r, + + # To remove the following error: + # Error initializing NSS with a persistent database + deny owner @{HOME}/.pki/ rw, + deny owner @{HOME}/.pki/nssdb/ rw, + deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Needed or atom gets crash with the following error: + # FATAL:proc_util.cc(36)] : Permission denied (13) + @{PROC}/ r, + # + deny @{PROC}/vmstat r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/@{pid}/fd/ r, + # Needed to remove the following error: + # Failed to activate the metrics package + # EACCES: permission denied, uv_resident_set_memory + @{PROC}/@{pids}/stat r, + # To remove the following error: + # Failed to adjust OOM score of renderer with pid : Permission denied + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pids}/task/ r, + deny owner @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny owner @{PROC}/@{pid}/loginuid r, + + deny /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + deny @{sys}/devices/virtual/tty/tty[0-9]/active r, + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + # The irq file is needed to render pages. + deny @{sys}/devices/pci[0-9]*/**/irq r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/.org.chromium.Chromium.* rw, + owner /tmp/atom-[0-9a-f]*.sock rw, + owner "/tmp/Atom Crashes/" rw, + owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw, + owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw, + owner /tmp/github-[0-9]*-[0-9]*-*.*/git-{credential,askpass}-atom.{js,sh} rwix, + owner /tmp/github-[0-9]*-[0-9]*-*.*/linux-ssh-wrapper.sh rwix, + owner /tmp/github-[0-9]*-[0-9]*-*.*/gpg-wrapper.sh rwix, + owner /tmp/apm-install-dir-[0-9]*-[0-9]*-*.*/ rw, + owner /tmp/apm-install-dir-[0-9]*-[0-9]*-*.*/** rw, + owner /tmp/net-export/ rw, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + + profile gpg { + #include + #include + #include + #include + + /{usr/,}bin/gpg mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + # file_inherit + owner @{HOME}/.xsession-errors w, + /usr/share/atom/** r, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/badblocks b/apparmor.d/badblocks new file mode 100644 index 00000000..4073d695 --- /dev/null +++ b/apparmor.d/badblocks @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/badblocks +profile badblocks @{exec_path} { + #include + #include + #include + + @{exec_path} r, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + + # A place for a list of already existing known bad blocks + @{HOME}/** rwk, + /media/*/** rwk, + + #include if exists +} diff --git a/apparmor.d/bin.netstat b/apparmor.d/bin.netstat new file mode 100644 index 00000000..a05e67b0 --- /dev/null +++ b/apparmor.d/bin.netstat @@ -0,0 +1,56 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2017 Christian Boltz +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# evolution, amongst other things, calls this program. I didn't want to +# give evolution access to significant chunks of /proc +# + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/netstat +profile netstat @{exec_path} { + #include + #include + #include + + capability dac_read_search, + capability syslog, + capability sys_ptrace, + + ptrace (trace,read), + + @{exec_path} rmix, + + /etc/networks r, + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/net r, + @{PROC}/net/* r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/net/netstat r, + @{PROC}/@{pid}/net/raw r, + @{PROC}/@{pid}/net/snmp r, + @{PROC}/@{pid}/net/raw6 r, + @{PROC}/@{pid}/net/tcp r, + @{PROC}/@{pid}/net/tcp6 r, + @{PROC}/@{pid}/net/udp r, + @{PROC}/@{pid}/net/udp6 r, + @{PROC}/@{pid}/net/udplite r, + @{PROC}/@{pid}/net/udplite6 r, + @{PROC}/@{pid}/net/unix r, + # For "netstat -i" + @{PROC}/@{pid}/net/dev r, + +} diff --git a/apparmor.d/bin.ping b/apparmor.d/bin.ping new file mode 100644 index 00000000..3a8ebf97 --- /dev/null +++ b/apparmor.d/bin.ping @@ -0,0 +1,29 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +profile ping /{usr/,}bin/{,iputils-}ping { + #include + #include + #include + + #capability net_raw, # Not needed when sysctl net.ipv4.ping_group_range is set + #capability setuid, # Not needed anymore since it's not SETUID binary + network inet raw, + network inet6 raw, + + /{,usr/}bin/{,iputils-}ping mixr, + /etc/modules.conf r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/biosdecode b/apparmor.d/biosdecode new file mode 100644 index 00000000..edf4211f --- /dev/null +++ b/apparmor.d/biosdecode @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/biosdecode +profile biosdecode @{exec_path} { + #include + + # Needed to read the /dev/mem device + capability sys_rawio, + + @{exec_path} mr, + + /dev/mem r, + + #include if exists +} diff --git a/apparmor.d/birdtray b/apparmor.d/birdtray new file mode 100644 index 00000000..f27e0073 --- /dev/null +++ b/apparmor.d/birdtray @@ -0,0 +1,96 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/birdtray +profile birdtray @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # To be able to start Thunderbird + /{usr/,}bin/thunderbird rPx, + + /{usr/,}bin/xdg-open rCx -> open, + + /usr/share/ulduzsoft/birdtray/{,**} r, + + owner @{HOME}/.config/ulduzsoft/ rw, + owner @{HOME}/.config/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + + owner @{HOME}/.config/birdtray-config.json rwl -> @{HOME}/.config/#[0-9]*[0-9], + owner @{HOME}/.config/birdtray-config.json.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + + owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w, + + # Thunderbird mail dirs + owner @{HOME}/ r, + owner @{HOME}/.thunderbird/ r, + owner @{HOME}/.thunderbird/*.*/ r, + owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/ r, + owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/ r, + owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/hwdata/pnp.ids r, + + /dev/shm/#[0-9]*[0-9] rw, + + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists + } + + #include if exists +} diff --git a/apparmor.d/blkid b/apparmor.d/blkid new file mode 100644 index 00000000..2fe0ffb9 --- /dev/null +++ b/apparmor.d/blkid @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/blkid +profile blkid @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + /etc/blkid.conf r, + + # The standard location of the cache file + # Without owner here if this tool should be used as a regular user + /{,var/}run/blkid/blkid.tab{,-*} rw, + /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + # When the system doesn't have the /run/ dir, the cache file is placed under /etc/ + /etc/blkid.tab{,-*} rw, + /etc/blkid.tab.old rwl -> /etc/blkid.tab, + + # For the EVALUATE=scan method + @{PROC}/partitions r, + + # Image files + @{HOME}/** r, + /media/*/** r, + + #include if exists +} diff --git a/apparmor.d/blockdev b/apparmor.d/blockdev new file mode 100644 index 00000000..c530833d --- /dev/null +++ b/apparmor.d/blockdev @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/blockdev +profile blockdev @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + @{PROC}/partitions r, + + #include if exists +} diff --git a/apparmor.d/bluetoothctl b/apparmor.d/bluetoothctl new file mode 100644 index 00000000..044739b2 --- /dev/null +++ b/apparmor.d/bluetoothctl @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/bluetoothctl +profile bluetoothctl @{exec_path} { + #include + + @{exec_path} mr, + + /etc/inputrc r, + + #include if exists +} diff --git a/apparmor.d/bluetoothd b/apparmor.d/bluetoothd new file mode 100644 index 00000000..aa6dfd8b --- /dev/null +++ b/apparmor.d/bluetoothd @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/bluetooth/bluetoothd +profile bluetoothd @{exec_path} { + #include + + # Needed for configuring HCI interfaces + capability net_admin, + capability net_bind_service, + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/bluetooth/plugins/*.so mr, + + /etc/bluetooth/{,*.conf} r, + + /dev/uinput rw, + /dev/rfkill rw, + /dev/hidraw[0-9]* rw, + + /{,var/}run/sdp rw, + + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/platform/**/rfkill/**/name r, + + /var/lib/bluetooth/{,**} rw, + + #include if exists +} diff --git a/apparmor.d/bmon b/apparmor.d/bmon new file mode 100644 index 00000000..f8f2286b --- /dev/null +++ b/apparmor.d/bmon @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/bmon +profile bmon @{exec_path} { + #include + + @{exec_path} mr, + + /etc/bmon.conf r, + + #include if exists +} diff --git a/apparmor.d/brave b/apparmor.d/brave new file mode 100644 index 00000000..63e3921d --- /dev/null +++ b/apparmor.d/brave @@ -0,0 +1,221 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} +@{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{BRAVE_CACHEDIR} = @{HOME}/.cache/BraveSoftware/Brave-Browser{,-Beta,-Dev} + +@{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev} +profile brave @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + capability sys_ptrace, + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + ptrace (read), + + @{exec_path} mrix, + + @{BRAVE_INSTALLDIR}/{,**} r, + @{BRAVE_INSTALLDIR}/{brave,chrome}-sandbox rPx, + @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev} rPx, + @{BRAVE_INSTALLDIR}/swiftshader/libGLESv2.so mr, + @{BRAVE_INSTALLDIR}/swiftshader/libEGL.so mr, + + # When installing/removing extensions + /{usr/,}bin/basename rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/{,e}grep rix, + + /etc/opt/chrome/ r, + deny /etc/opt/chrome/ w, + + # For "brave --help" + /{usr/,}bin/man rPUx, + + # For storing passwords externally + /{usr/,}bin/keepassxc-proxy rPUx, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + + # no new privs + #deny /{usr/,}bin/xdg-desktop-menu rx, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-settings rPUx, + /{usr/,}bin/xdg-mime rPUx, + + /usr/share/chromium/extensions/ r, + + # To remove the following error: + # Error initializing NSS with a persistent database + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + owner @{HOME}/ r, + owner @{HOME}/.config/BraveSoftware/ w, + owner @{BRAVE_HOMEDIR}/ rw, + owner @{BRAVE_HOMEDIR}/** rwk, + # For Widevine plugin + owner @{BRAVE_HOMEDIR}/WidevineCdm/libwidevinecdm.so mrw, + + # Cache files + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/BraveSoftware/ rw, + owner @{BRAVE_CACHEDIR}/{,**/} rw, + owner @{BRAVE_CACHEDIR}/*/**/{*-,}index rw, + owner @{BRAVE_CACHEDIR}/*/**/[a-f0-9]*_? rw, + owner @{BRAVE_CACHEDIR}/*/**/todelete_* rw, + + # For importing data (bookmarks, cookies, etc) from Firefox + owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox/*/ r, + owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/logins.json r, + # For importing data from Chromium + owner "@{HOME}/.config/chromium/Local State" r, + owner @{HOME}/.config/chromium/Singleton{Lock,Socket,Cookie} w, + owner "@{HOME}/.config/chromium/*/Login Data{,-journal}" rwk, + owner @{HOME}/.config/chromium/*/ r, + owner @{HOME}/.config/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + + owner @{HOME}/.config/menus/applications-merged/ r, + owner @{HOME}/.config/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Needed or Brave crash with the following error: + # illegal hardware instruction + @{PROC}/ r, + # + deny @{PROC}/vmstat r, + deny @{PROC}/stat r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/@{pid}/fd/ r, + deny @{PROC}/@{pids}/stat r, + deny @{PROC}/@{pids}/statm r, + # To remove the following error: + # Failed to adjust OOM score of renderer with pid : Permission denied + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + # + deny @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/task/ r, + deny @{PROC}/@{pids}/task/@{tid}/status r, + deny owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/clear_refs w, + @{PROC}/sys/fs/inotify/max_user_watches r, + deny @{PROC}filesystems r, + + owner /dev/shm/.org.chromium.Chromium.* rw, + owner /dev/shm/org.chromium.Chromium.shmem.[A-F0-9]*._service_shmem rw, + + /dev/bus/usb/[0-9]*/[0-9]* rw, + + # For downloading files + owner @{HOME}/.local/share/.org.chromium.Chromium.* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Udev enumeration + @{sys}/bus/ r, + @{sys}/bus/**/devices/ r, + @{sys}/devices/**/uevent r, + @{sys}/class/ r, + @{sys}/class/**/ r, + /{,var/}run/udev/data/* r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + + @{sys}/devices/virtual/tty/tty[0-9]/active r, + @{sys}/devices/system/cpu/online r, + + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + # The irq file is needed to render pages. + @{sys}/devices/pci[0-9]*/**/irq r, + + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/.org.chromium.Chromium.* rw, + owner /tmp/.org.chromium.Chromium.*/{,**} rw, + # For installing/updating/removing extensions + owner /tmp/scoped_dir*/{,**} rw, + owner /tmp/tmp.* rw, + # For brave://net-export/ + owner /tmp/net-export/ rw, + + # Silencer + deny @{BRAVE_INSTALLDIR}/** w, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/brave-browser b/apparmor.d/brave-browser new file mode 100644 index 00000000..d3690963 --- /dev/null +++ b/apparmor.d/brave-browser @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} +@{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{BRAVE_CACHEDIR} = @{HOME}/.cache/BraveSoftware/Brave-Browser{,-Beta,-Dev} + +#abi , + +#include + +@{exec_path} = @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev} +profile brave-browser @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + + /usr/bin/readlink rix, + /usr/bin/dirname rix, + /usr/bin/which rix, + /usr/bin/mkdir rix, + /usr/bin/cat rix, + + @{BRAVE_INSTALLDIR}/brave rPx, + + owner @{PROC}/@{pid}/fd/63 w, + + #include if exists +} diff --git a/apparmor.d/brave-sandbox b/apparmor.d/brave-sandbox new file mode 100644 index 00000000..5cef49b7 --- /dev/null +++ b/apparmor.d/brave-sandbox @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} +@{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{BRAVE_CACHEDIR} = @{HOME}/.cache/BraveSoftware/Brave-Browser{,-Beta,-Dev} + +#abi , + +#include + +@{exec_path} = @{BRAVE_INSTALLDIR}/{brave,chrome}-sandbox +profile brave-sandbox @{exec_path} { + #include + #include + + # For kernel unprivileged user namespaces + capability sys_admin, + capability sys_chroot, + capability setuid, + capability setgid, + + @{exec_path} mr, + + @{BRAVE_INSTALLDIR}/brave rPx, + + @{PROC}/@{pids}/ r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + #include if exists +} diff --git a/apparmor.d/btrfs b/apparmor.d/btrfs new file mode 100644 index 00000000..e54fd8a0 --- /dev/null +++ b/apparmor.d/btrfs @@ -0,0 +1,57 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/{btrfs,btrfsck} +profile btrfs @{exec_path} { + #include + #include + #include + + capability sys_admin, + capability fowner, + capability sys_rawio, + + @{exec_path} mr, + + /{var/,}run/blkid/blkid.tab{,-*} rw, + /{var/,}run/blkid/blkid.tab.old rwl -> /run/blkid/blkid.tab, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/partitions r, + + # For fsck of the btrfs filesystem directly from gparted + owner /tmp/gparted-*/ rw, + + # For scrub + /var/lib/btrfs/ rw, + /var/lib/btrfs/scrub.progress.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + /var/lib/btrfs/scrub.status.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*{,_tmp} rwk, + + # Saved metadata + /media/*/ r, + /media/*/ext2_saved/ rw, + /media/*/ext2_saved/image rw, + /media/*/*/ r, + /media/*/*/ext2_saved/ rw, + /media/*/*/ext2_saved/image rw, + + # To be able to manage btrfs volumes + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/btrfs-convert b/apparmor.d/btrfs-convert new file mode 100644 index 00000000..bfefeafc --- /dev/null +++ b/apparmor.d/btrfs-convert @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/btrfs-convert +profile btrfs-convert @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/btrfs-find-root b/apparmor.d/btrfs-find-root new file mode 100644 index 00000000..11071897 --- /dev/null +++ b/apparmor.d/btrfs-find-root @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/btrfs-find-root +profile btrfs-find-root @{exec_path} { + #include + #include + + @{exec_path} mr, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/btrfs-image b/apparmor.d/btrfs-image new file mode 100644 index 00000000..9fb7d4e2 --- /dev/null +++ b/apparmor.d/btrfs-image @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/btrfs-image +profile btrfs-image @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + # Image files + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/btrfs-map-logical b/apparmor.d/btrfs-map-logical new file mode 100644 index 00000000..4ee7b074 --- /dev/null +++ b/apparmor.d/btrfs-map-logical @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/btrfs-map-logical +profile btrfs-map-logical @{exec_path} { + #include + #include + + @{exec_path} mr, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/btrfs-select-super b/apparmor.d/btrfs-select-super new file mode 100644 index 00000000..b0f13786 --- /dev/null +++ b/apparmor.d/btrfs-select-super @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/btrfs-select-super +profile btrfs-select-super @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/btrfstune b/apparmor.d/btrfstune new file mode 100644 index 00000000..146a62a7 --- /dev/null +++ b/apparmor.d/btrfstune @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/btrfstune +profile btrfstune @{exec_path} { + #include + #include + + @{exec_path} mr, + + @{PROC}/partitions r, + owner @{PROC}/@{pid}/mounts r, + + owner /{,var/}run/blkid/blkid.tab{,-*} rw, + owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + + #include if exists +} diff --git a/apparmor.d/calibre b/apparmor.d/calibre new file mode 100644 index 00000000..1074ec35 --- /dev/null +++ b/apparmor.d/calibre @@ -0,0 +1,205 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# PDF extensions +# pdf, epub, txt, html, mhtml, ps, mobi, djvu +@{calibre_ext} = [pP][dF][fF] +@{calibre_ext} += [eE][pP][uU][bB] +@{calibre_ext} += [tT][xX][tT] +@{calibre_ext} += {[mM],}[hH][tT][mM][lL] +@{calibre_ext} += [pP][sS] +@{calibre_ext} += [mM][oO][bB][iI] +@{calibre_ext} += [dD][jJ][vV][uU] + +@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} +@{exec_path} += /{usr/,}bin/calibredb +@{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert} +@{exec_path} += /{usr/,}bin/fetch-ebook-metadata +@{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer +@{exec_path} += /{usr/,}bin/web2disk +profile calibre @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + capability sys_ptrace, + + @{exec_path} mrix, + /{usr/,}bin/python3.[0-9]* r, + + #/{usr/,}bin/ r, + + /{usr/,}bin/dash rix, + /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/file rix, + + /{usr/,}bin/pdftoppm rPUx, # (#FIXME#) + /{usr/,}bin/pdfinfo rPUx, + /{usr/,}bin/pdftohtml rPUx, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-mime rPx, + + # Which files calibre should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{calibre_ext} rw, + + /usr/share/calibre/{,**} r, + + owner /media/*/Calibre_Library/ r, + owner /media/*/Calibre_Library*/ rw, + owner /media/*/Calibre_Library*/** rwkl -> /media/*/Calibre_Library*/**, + + owner @{HOME}/.config/calibre/ rw, + owner @{HOME}/.config/calibre/** rwk, + + owner @{HOME}/.local/share/calibre-ebook.com/ rw, + owner @{HOME}/.local/share/calibre-ebook.com/calibre/ rw, + owner @{HOME}/.local/share/calibre-ebook.com/calibre/** rwk, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/calibre/ rw, + owner @{HOME}/.cache/calibre/** rwkl -> @{HOME}/.cache/calibre/**, + + owner @{HOME}/.cache/qtshadercache/ rw, + owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + + owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + + owner /tmp/calibre_*_tmp_*/{,**} rw, + owner /tmp/calibre-*/{,**} rw, + owner /tmp/[0-9]*-*/ rw, + owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, + owner /tmp/* rw, + + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/net/route r, + deny @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/vmstat r, + + /etc/fstab r, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + # no new privs + /{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, + /usr/share/qt5/**.pak r, + + # For sending books to a phone + /dev/bus/usb/ r, + /dev/bus/usb/** rw, + + @{sys}/class/ r, + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{bDeviceClass,bcdDevice,manufacturer,product} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{idVendor,idProduct} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}serial r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{speed,descriptors,bConfigurationValue,interface} r, + + @{sys}/devices/pci[0-9]*/**/irq r, + + /{,var/}run/udev/data/+usb* r, # + /{,var/}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + + /dev/shm/ r, + /dev/shm/#[0-9]*[0-9] rw, + owner /dev/shm/.org.chromium.Chromium.* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + /etc/mime.types r, + /etc/inputrc r, + /etc/magic r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/dash rix, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/chromium rPx, + /{usr/,}bin/ebook-viewer rPx, + /{usr/,}bin/ebook-edit rPx, + + owner /{home,media}/**.@{calibre_ext} rw, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/cawbird b/apparmor.d/cawbird new file mode 100644 index 00000000..a7352d53 --- /dev/null +++ b/apparmor.d/cawbird @@ -0,0 +1,88 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/cawbird +profile cawbird @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/exo-open rCx -> open, + + /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPx, + + owner @{HOME}/.config/cawbird/ rw, + owner @{HOME}/.config/cawbird/** rwk, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/cawbird-* rw, + + owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, + + # This is needed as cawbird stores its settings in the dconf database. + #include + /{var/,}run/user/[0-9]*/dconf/user rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node0/meminfo r, + + # The orcexec.* file is JIT compiled code for various GStreamer elements. + # If one is blocked the next is used instead. + owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + #owner @{HOME}/orcexec.* mrw, + #owner /tmp/orcexec.* mrw, + + /dev/ r, + /dev/dri/ r, + + owner @{PROC}/@{pid}/fd/ r, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/ccze b/apparmor.d/ccze new file mode 100644 index 00000000..8542859a --- /dev/null +++ b/apparmor.d/ccze @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ccze +profile ccze @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/ccze/*.so mr, + + /etc/cczerc r, + + #include if exists +} diff --git a/apparmor.d/cfdisk b/apparmor.d/cfdisk new file mode 100644 index 00000000..01b14509 --- /dev/null +++ b/apparmor.d/cfdisk @@ -0,0 +1,44 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/cfdisk +profile cfdisk @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/partitions r, + + /etc/fstab r, + + owner /{,var/}run/blkid/blkid.tab{,-*} rw, + owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + # A place for backups + owner @{HOME}/**.{bak,back} rwk, + owner /media/*/**.{bak,back} rwk, + + #include if exists +} diff --git a/apparmor.d/cgdisk b/apparmor.d/cgdisk new file mode 100644 index 00000000..5ffd5bdf --- /dev/null +++ b/apparmor.d/cgdisk @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/cgdisk +profile cgdisk @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + # A place for backups + owner @{HOME}/**.{bak,back} rwk, + owner /media/*/**.{bak,back} rwk, + + #include if exists +} diff --git a/apparmor.d/cgrulesengd b/apparmor.d/cgrulesengd new file mode 100644 index 00000000..b4d71003 --- /dev/null +++ b/apparmor.d/cgrulesengd @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/cgrulesengd +profile cgrulesengd @{exec_path} { + #include + #include + + # For creating Unix domain sockets/IPC sockets: + # socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3 + # ... + # bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation + # not permitted) + capability net_admin, + + # To remove the following errors: + # readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied) + capability sys_ptrace, + + # To be able to read the /proc/ files of all processes in the system. + capability dac_read_search, + + ptrace (read), + + @{exec_path} mr, + + @{sys}/fs/cgroup/**/tasks w, + + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/cgroups r, + + owner /{var/,}run/cgred.socket w, + + /etc/cgconfig.conf r, + /etc/cgrules.conf r, + + #include if exists +} diff --git a/apparmor.d/chage b/apparmor.d/chage new file mode 100644 index 00000000..bdd346d3 --- /dev/null +++ b/apparmor.d/chage @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/chage +profile chage @{exec_path} { + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + @{exec_path} mr, + + /etc/login.defs r, + + /etc/{passwd,shadow} rw, + /etc/{passwd,shadow}.@{pid} w, + /etc/{passwd,shadow}- w, + /etc/{passwd,shadow}+ rw, + + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/shadow.lock wl -> /etc/shadow.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/changestool b/apparmor.d/changestool new file mode 100644 index 00000000..f03af570 --- /dev/null +++ b/apparmor.d/changestool @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/changestool +profile changestool @{exec_path} { + #include + + @{exec_path} mr, + + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + + owner @{PROC}/@{pid}/fd/ r, + + # For package building + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpgsm mr, + + owner @{HOME}/.gnupg/ r, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + } + + #include if exists +} diff --git a/apparmor.d/check-bios-nx b/apparmor.d/check-bios-nx new file mode 100644 index 00000000..c1bba888 --- /dev/null +++ b/apparmor.d/check-bios-nx @@ -0,0 +1,55 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/check-bios-nx +profile check-bios-nx @{exec_path} { + #include + #include + + # To remove the following errors: + # /usr/sbin/check-bios-nx: 19: cannot create /dev/stderr: Permission denied + capability dac_override, + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, + + /{usr/,}bin/kmod rCx -> kmod, + + /{usr/,}sbin/rdmsr rPx, + + owner @{PROC}/@{pid}/fd/2 w, + + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + /usr/lib/modprobe.d/ r, + /usr/lib/modprobe.d/*.conf r, + /usr/lib/modules/*/modules.* r, + + @{PROC}/cmdline r, + + } + + #include if exists +} diff --git a/apparmor.d/check-support-status b/apparmor.d/check-support-status new file mode 100644 index 00000000..bce5f857 --- /dev/null +++ b/apparmor.d/check-support-status @@ -0,0 +1,78 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/check-support-status +profile check-support-status @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} rix, + /{usr/,}bin/dash r, + + /etc/debian_version r, + + /{usr/,}bin/gettext.sh r, + /{usr/,}bin/cat rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/date rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/fold rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/awk rix, + /{usr/,}bin/comm rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/find rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/head rix, + /{usr/,}bin/gettext rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/envsubst rix, + /{usr/,}bin/dirname rix, + + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /{usr/,}bin/debconf-escape rCx -> debconf-escape, + + / r, + /tmp/ r, + owner /tmp/debian-security-support.*/{,**} rw, + /tmp/debian-security-support.postinst.*/output w, + + owner /var/lib/debian-security-support/security-support.semaphore rw, + owner /var/lib/debian-security-support/tmp.* rw, + + /usr/share/debian-security-support/* r, + + + profile debconf-escape flags=(complain) { + #include + #include + + /{usr/,}bin/debconf-escape r, + /{usr/,}bin/perl r, + + owner /tmp/debian-security-support.postinst.*/output r, + + } + + #include if exists +} diff --git a/apparmor.d/check-support-status-hook b/apparmor.d/check-support-status-hook new file mode 100644 index 00000000..a663d4ce --- /dev/null +++ b/apparmor.d/check-support-status-hook @@ -0,0 +1,122 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/share/debian-security-support/check-support-status.hook +profile check-support-status-hook @{exec_path} flags=(complain) { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/getent rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + + /{usr/,}sbin/adduser rPx, + /{usr/,}bin/check-support-status rPx, + /{usr/,}bin/debconf-escape rCx -> debconf-escape, + /{usr/,}sbin/runuser rCx -> runuser, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + /usr/share/debconf/confmodule r, + + owner /tmp/debian-security-support.postinst.*/ rw, + owner /tmp/debian-security-support.postinst.*/output rw, + + + profile debconf-escape flags=(complain) { + #include + #include + #include + + /{usr/,}bin/debconf-escape r, + /{usr/,}bin/perl r, + + owner /tmp/debian-security-support.postinst.*/output r, + + } + + profile frontend flags=(complain) { + #include + #include + #include + #include + + /usr/share/debconf/frontend r, + /{usr/,}bin/perl r, + + /usr/share/debian-security-support/check-support-status.hook rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + # The following is needed when debconf uses GUI frontends. + #include + #include + #include + #include + capability dac_read_search, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/hostname rPx, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + } + + profile runuser flags=(complain) { + #include + #include + #include + #include + + # To remove the following errors: + # runuser: cannot set user id: Operation not permitted + capability setuid, + + # To remove the following errrors: + # runuser: cannot set groups: Operation not permitted + capability setgid, + + # To write records to the kernel auditing log. + capability audit_write, + + /{usr/,}sbin/runuser mr, + + /{usr/,}bin/bash rix, + + /{usr/,}bin/check-support-status rPx, + + owner @{PROC}/@{pids}/loginuid r, + @{PROC}/1/limits r, + + /etc/security/limits.d/ r, + + owner /tmp/debian-security-support.postinst.*/output w, + } + + #include if exists +} diff --git a/apparmor.d/chfn b/apparmor.d/chfn new file mode 100644 index 00000000..73aa1bf8 --- /dev/null +++ b/apparmor.d/chfn @@ -0,0 +1,51 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/chfn +profile chfn @{exec_path} { + #include + #include + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + # chfn is a SETUID binary + capability setuid, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/loginuid r, + + /etc/passwd rw, + /etc/passwd- w, + /etc/passwd+ rw, + /etc/passwd.@{pid} w, + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + + /etc/shadow r, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/child-dpkg b/apparmor.d/child-dpkg new file mode 100644 index 00000000..1fa3533d --- /dev/null +++ b/apparmor.d/child-dpkg @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-dpkg" exec transitions from +# other profiles. We want to confine the dpkg(1) utility when it +# is invoked from other confined applications, but not when it is used +# in regular (unconfined) shell scripts or run directly by the user. + +#abi , + +#include + +# Do not attach to /{usr/,}bin/dpkg by default +profile child-dpkg { + #include + #include + + # Needed? + deny capability setgid, + + /{usr/,}bin/dpkg mr, + + /{usr/,}bin/dpkg-query rPx, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + /var/lib/dpkg/** r, + + # file_inherit + /tmp/#[0-9]*[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/child-dpkg-divert b/apparmor.d/child-dpkg-divert new file mode 100644 index 00000000..e1dde189 --- /dev/null +++ b/apparmor.d/child-dpkg-divert @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-dpkg-divert" exec transitions +# from other profiles. We want to confine the dpkg-divert(1) utility when +# it is invoked from other confined applications, but not when it is used +# in regular (unconfined) shell scripts or run directly by the user. + +#abi , + +#include + +# Do not attach to /{usr/,}bin/dpkg-divert by default +profile child-dpkg-divert { + #include + + /{usr/,}bin/dpkg-divert mr, + + /var/lib/dpkg/arch r, + /var/lib/dpkg/status r, + /var/lib/dpkg/updates/ r, + /var/lib/dpkg/triggers/File r, + /var/lib/dpkg/triggers/Unincorp r, + /var/lib/dpkg/diversions r, + + # file_inherit + /tmp/#[0-9]*[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/child-lsb_release b/apparmor.d/child-lsb_release new file mode 100644 index 00000000..1d598783 --- /dev/null +++ b/apparmor.d/child-lsb_release @@ -0,0 +1,66 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-lsb_release" exec transitions +# from other profiles. We want to confine the lsb_release(1) utility when +# it is invoked from other confined applications, but not when it is used +# in regular (unconfined) shell scripts or run directly by the user. + +#abi , + +#include + +# Do not attach to /{usr/,}bin/lsb_release by default +profile child-lsb_release { + #include + #include + #include + + signal (receive) set=(term, kill), + + owner @{PROC}/@{pid}/fd/ r, + + /{usr/,}bin/lsb_release r, + /{usr/,}bin/python3.[0-9]* r, + + /etc/debian_version r, +# /etc/default/apport r, + /etc/dpkg/origins/** r, +# /etc/lsb-release r, +# /etc/lsb-release.d/ r, + +# /{usr/,}bin/bash ixr, +# /{usr/,}bin/dash ixr, +# /{usr/,}bin/basename ixr, + +# /{usr/,}bin/getopt ixr, +# /{usr/,}bin/sed ixr, +# /{usr/,}bin/tr ixr, + + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/apt-cache rPx, + + /{usr/,}bin/ r, +# /usr/include/python*/pyconfig.h r, + /usr/share/distro-info/*.csv r, +# /usr/share/dpkg/** r, +# /usr/share/terminfo/** r, +# /var/lib/dpkg/** r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, +# deny /tmp/gtalkplugin.log w, + /dev/dri/card[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/child-pager b/apparmor.d/child-pager new file mode 100644 index 00000000..627abbfe --- /dev/null +++ b/apparmor.d/child-pager @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-pager" exec transitions from +# other profiles. We want to confine the pager(1) utility when it +# is invoked from other confined applications, but not when it is used +# in regular (unconfined) shell scripts or run directly by the user. + +#abi , + +#include + +# Do not attach to /{usr/,}bin/pager by default +profile child-pager { + #include + #include + + signal (receive) set=(stop, cont, term, kill), + + /{usr/,}bin/pager mr, + /{usr/,}bin/less mr, + /{usr/,}bin/more mr, + + owner @{HOME}/.lesshs* rw, + + #include if exists +} diff --git a/apparmor.d/child-systemctl b/apparmor.d/child-systemctl new file mode 100644 index 00000000..23717922 --- /dev/null +++ b/apparmor.d/child-systemctl @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-systemctl" exec transitions +# from other profiles. We want to confine the systemctl(1) utility when +# it is invoked from other confined applications, but not when it is +# used in regular (unconfined) shell scripts or run directly by the user. + +#abi , + +#include + +# Do not attach to /{usr/,}bin/systemctl by default +profile child-systemctl { + #include + #include + #include + + capability sys_ptrace, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + /dev/kmsg w, + + #include if exists +} diff --git a/apparmor.d/chromium b/apparmor.d/chromium new file mode 100644 index 00000000..9d16a395 --- /dev/null +++ b/apparmor.d/chromium @@ -0,0 +1,65 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium +@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium +@{CHROMIUM_CACHEDIR} = @{HOME}/.cache/chromium + +@{exec_path} = /{usr/,}bin/chromium +profile chromium @{exec_path} { + #include + #include + #include + + @{exec_path} r, + + @{CHROMIUM_INSTALLDIR}/chromium rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/mktemp rix, + + # For chromium -g + /{usr/,}bin/gdb rPUx, + + owner /tmp/chromiumargs.?????? rw, + + # For a temp profile + owner /tmp/tmp.*/ rw, + owner /tmp/tmp.*/** rwk, + + # For "chromium --help" + /{usr/,}bin/man rPUx, + /{usr/,}bin/sed rix, + + /etc/chromium.d/{,*} r, + + /etc/debian_version r, + + /usr/share/chromium/extensions/ r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/chromium-chrome-sandbox b/apparmor.d/chromium-chrome-sandbox new file mode 100644 index 00000000..8cdc3492 --- /dev/null +++ b/apparmor.d/chromium-chrome-sandbox @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium +@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium +@{CHROMIUM_CACHEDIR} = @{HOME}/.cache/chromium + +@{exec_path} = @{CHROMIUM_INSTALLDIR}/chrome-sandbox + +profile chromium-chrome-sandbox @{exec_path} { + #include + #include + + # For kernel unprivileged user namespaces + capability sys_admin, + capability sys_chroot, + capability setuid, + capability setgid, + + # optional + capability sys_resource, + + @{exec_path} mr, + @{CHROMIUM_INSTALLDIR}/chromium rPx, + + @{PROC}/@{pids}/ r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + #include if exists +} diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium new file mode 100644 index 00000000..0dab0c8f --- /dev/null +++ b/apparmor.d/chromium-chromium @@ -0,0 +1,204 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium +@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium +@{CHROMIUM_CACHEDIR} = @{HOME}/.cache/chromium + +@{exec_path} = @{CHROMIUM_INSTALLDIR}/chromium +profile chromium-chromium @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + ptrace (trace) peer=@{profile_name}, + ptrace (read) peer=xdg-settings, + ptrace (read) peer=keepassxc-proxy, + ptrace (read) peer=child-lsb_release, + + signal (send) set=(term, kill) peer=keepassxc-proxy, + + @{exec_path} mrix, + + @{CHROMIUM_INSTALLDIR}/chrome-sandbox rPx, + + # For storing passwords externally + /{usr/,}bin/keepassxc-proxy rPUx, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-mime rPUx, + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-settings rPUx, + /{usr/,}bin/xdg-desktop-menu rPUx, + /{usr/,}bin/xdg-icon-resource rPUx, + + # To remove the following error: + # Error initializing NSS with a persistent database + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + # Chromium files + /usr/share/chromium/{,**} r, + + # Chrome extensions (for Debian) + /usr/share/webext/{,**} r, + + /usr/share/mozilla/extensions/{,**} r, + + /etc/chromium/ r, + /etc/chromium/master_preferences r, + + # Chromium home files + owner @{HOME}/ r, + owner @{CHROMIUM_HOMEDIR}/ rw, + owner @{CHROMIUM_HOMEDIR}/** rwk, + owner @{CHROMIUM_HOMEDIR}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, + + owner @{HOME}/.local/share/.org.chromium.Chromium.* rw, + + # Cache files + owner @{HOME}/.cache/ rw, + owner @{CHROMIUM_CACHEDIR}/{,**/} rw, + owner @{CHROMIUM_CACHEDIR}/*/**/{*-,}index rw, + owner @{CHROMIUM_CACHEDIR}/*/**/[a-f0-9]*_? rw, + owner @{CHROMIUM_CACHEDIR}/*/**/todelete_* rw, + + # For importing data (bookmarks, cookies, etc) from Firefox + owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox/*/ r, + owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/logins.json r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Needed or chromium gets crash with the following error: + # FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0) + @{PROC}/ r, + # + deny @{PROC}/vmstat r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/@{pid}/fd/ r, + deny @{PROC}/@{pids}/stat r, + deny @{PROC}/@{pids}/statm r, + # To remove the following error: + # Failed to adjust OOM score of renderer with pid : Permission denied + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + # + deny @{PROC}/@{pids}/cmdline r, + deny owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, + deny @{PROC}/@{pids}/task/@{tid}/stat r, + deny @{PROC}/@{pids}/task/@{tid}/status r, + deny owner @{PROC}/@{pid}/limits r, + deny owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + # To remove the following error: + # file_path_watcher_linux.cc(71)] Failed to read /proc/sys/fs/inotify/max_user_watches + @{PROC}/sys/fs/inotify/max_user_watches r, + + deny /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Udev enumeration + @{sys}/bus/ r, + @{sys}/bus/**/devices/ r, + @{sys}/devices/**/uevent r, + @{sys}/class/ r, + @{sys}/class/**/ r, + /{,var/}run/udev/data/* r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + + deny @{sys}/devices/virtual/tty/tty[0-9]/active r, + + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + # The irq file is needed to render pages. + @{sys}/devices/pci[0-9]*/**/irq r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/.org.chromium.Chromium.* rw, + owner /tmp/.org.chromium.Chromium.*/{,**} rw, + + # For the temp profile + owner /tmp/tmp.*/ rw, + owner /tmp/tmp.*/** rwk, + + # For installing/updating extensions + owner /tmp/scoped_dir*/ rw, + owner /tmp/scoped_dir*/** rw, + + # Silencer + deny @{CHROMIUM_INSTALLDIR}/** w, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/dash rix, + + # Allowed apps to open + /{usr/,}bin/smplayer rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/chsh b/apparmor.d/chsh new file mode 100644 index 00000000..ecbf3af1 --- /dev/null +++ b/apparmor.d/chsh @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/chsh +profile chsh @{exec_path} { + #include + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + # gpasswd is a SETUID binary + capability setuid, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/loginuid r, + + /etc/shells r, + + /etc/passwd rw, + /etc/passwd- w, + /etc/passwd+ rw, + /etc/passwd.@{pid} w, + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + + /etc/shadow r, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/claws-mail b/apparmor.d/claws-mail new file mode 100644 index 00000000..d6cb6689 --- /dev/null +++ b/apparmor.d/claws-mail @@ -0,0 +1,93 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/claws-mail +profile claws-mail @{exec_path} flags=(complain) { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/which rix, + + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, + + # For Orage integration + /{usr/,}bin/orage rPUx, + + # For sending local mails + /{usr/,}sbin/exim4 rPUx, + + # For editing in an external editor + /{usr/,}bin/geany rPUx, + + owner @{HOME}/ r, + owner @{HOME}/.claws-mail/ rw, + owner @{HOME}/.claws-mail/** rwl -> @{HOME}/.claws-mail/**, + + owner /tmp/claws-mail-[0-9]*/ rw, + owner /tmp/claws-mail-[0-9]*/[0-9a-f]* rw, + owner /tmp/claws-mail-[0-9]*/[0-9a-f]*.lock rwk, + + owner /var/mail/* rwk, + + owner @{HOME}/Mail/ rw, + owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/sounds/freedesktop/stereo/*.oga r, + /usr/share/publicsuffix/*.dafsa r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgsm mr, + /{usr/,}bin/gpgconf mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + } + + #include if exists +} diff --git a/apparmor.d/code b/apparmor.d/code new file mode 100644 index 00000000..0fd838ca --- /dev/null +++ b/apparmor.d/code @@ -0,0 +1,148 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code +profile code @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + # The following doesn't seem to be needed + ##include + ##include + ##include + ##include + #include + #include + #include + + ptrace (read) peer=child-lsb_release, + + @{exec_path} mrix, + + /usr/share/code/** r, + /usr/share/code/libffmpeg.so mr, + /usr/share/code/resources/**/bin/* rix, + /usr/share/code/resources/**.node mr, + + # The bash shell is needed only when you want to start code via bin/code. Also the shells are + # needed if you plan to operate on the built in terminal. If you don't need the built in terminal + # and want to use the linux one, the following three lines can be commented out. + # /{usr/,}bin/bash rix, + # /{usr/,}bin/zsh rix, + # /{usr/,}bin/dash rix, + + #/{usr/,}bin/dirname rix, + #/{usr/,}bin/{,e}grep rix, + #/{usr/,}bin/id rix, + #/{usr/,}bin/readlink rix, + #/{usr/,}bin/which rix, + #/{usr/,}sbin/ifconfig rix, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + + /{usr/,}bin/git rPUx, + + # Needed to sign commits + /{usr/,}bin/gpg rPUx -> gpg, + + # /home/ r, + # Reading of the user home dir is required or the following error will be printed: + # Unexpected end of JSON input: + #owner @{HOME}/ r, + owner @{HOME}/.config/Code/ rw, + owner @{HOME}/.config/Code/** rwkl -> {HOME}/.config/Code/**, + owner @{HOME}/.vscode/ rw, + owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**, + + # Git dirs + / r, + /media/ r, + owner /media/*/ r, + owner /media/*/code/ r, + owner /media/*/code/** rwkl -> /media/*/code/**, + + # To remove the following error: + # Error initializing NSS with a persistent database + deny owner @{HOME}/.pki/ rw, + deny owner @{HOME}/.pki/nssdb/ rw, + deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Needed or code gets crash with the following error: + # FATAL:proc_util.cc(36)] : Permission denied (13) + @{PROC}/ r, + # + deny @{PROC}/version r, + # + deny @{PROC}/vmstat r, + @{PROC}/@{pid}/fd/ r, + # Needed to remove the following error: + # Failed to activate the metrics package + # EACCES: permission denied, uv_resident_set_memory + deny @{PROC}/@{pids}/stat r, + deny @{PROC}/@{pids}/statm r, + # To remove the following error: + # Failed to adjust OOM score of renderer with pid : Permission denied + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pids}/task/ r, + deny owner @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny owner @{PROC}/@{pid}/net/dev r, + deny owner @{PROC}/@{pid}/net/if_inet6 r, + deny owner @{PROC}/@{pids}/cmdline r, + + deny /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + deny @{sys}/devices/virtual/tty/tty[0-9]/active r, + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + # The irq file is needed to render pages. + deny @{sys}/devices/pci[0-9]*/**/irq r, + + /var/tmp/ r, + /tmp/ r, + owner "/tmp/VSCode Crashes/" rw, + owner /tmp/vscode-typescript[0-9]*/ rw, + + owner /{var/,}run/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw, + owner /{var/,}run/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw, + + owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw, + # For installing extensions + owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} + diff --git a/apparmor.d/colord b/apparmor.d/colord new file mode 100644 index 00000000..08ae8d16 --- /dev/null +++ b/apparmor.d/colord @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/colord/colord /usr/libexec/colord +profile colord @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}lib/colord/colord-sane rPx, + /usr/libexec/colord-sane rPx, + + owner /var/lib/colord/** r, + owner /var/lib/colord/{mapping,storage}.db rwk, + + /etc/udev/hwdb.bin r, + + /usr/share/color/icc/{,**} r, + + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/class/video4linux/ r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP}-*/{enabled,edid} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,bDeviceClass,removable} r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + /{var/,}run/udev/data/+usb:* r, # + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + + /usr/share/mime/mime.cache r, + + #include if exists +} diff --git a/apparmor.d/colord-sane b/apparmor.d/colord-sane new file mode 100644 index 00000000..cb3dcefb --- /dev/null +++ b/apparmor.d/colord-sane @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/colord/colord-sane /usr/libexec/colord-sane +profile colord-sane @{exec_path} flags=(complain) { + #include + + @{exec_path} mr, + + /etc/sane.d/{,**} r, + + /etc/snmp/snmp.conf r, + /var/lib/snmp/mibs/{iana,ietf}/ r, + /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, + + /var/lib/snmp/{mib,cert}_indexes/ rw, + /usr/share/snmp/mibs/{,*} r, + + /dev/bus/usb/ r, + + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/bus/scsi/devices/ r, + @{sys}/class/ r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,busnum,devnum,speed,descriptors} r, + @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, + + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + /{var/,}run/udev/data/+usb:* r, # + + @{PROC}/sys/dev/parport/ r, + + #include if exists +} diff --git a/apparmor.d/colord-session b/apparmor.d/colord-session new file mode 100644 index 00000000..c72c6981 --- /dev/null +++ b/apparmor.d/colord-session @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/colord/colord-session /usr/libexec/colord-session +profile colord-session @{exec_path} flags=(complain) { + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/command-not-found b/apparmor.d/command-not-found new file mode 100644 index 00000000..c326919e --- /dev/null +++ b/apparmor.d/command-not-found @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/share/command-not-found/command-not-found +@{exec_path} += /{usr/,}bin/command-not-found +profile command-not-found @{exec_path} { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + + /var/lib/command-not-found/commands.db rwk, + + /usr/share/command-not-found/{,**} r, + + #include if exists +} diff --git a/apparmor.d/compton b/apparmor.d/compton new file mode 100644 index 00000000..90ad8c81 --- /dev/null +++ b/apparmor.d/compton @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/compton +profile compton @{exec_path} { + #include + #include + + @{exec_path} mr, + + # Compton config file + owner @{HOME}/.config/compton.conf rw, + + /usr/share/X11/XErrorDB r, + owner @{HOME}/.Xauthority r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/conky b/apparmor.d/conky new file mode 100644 index 00000000..eead9452 --- /dev/null +++ b/apparmor.d/conky @@ -0,0 +1,193 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/conky +profile conky @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Needed tools to render conky output + /{usr/,}bin/dash rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/uniq rix, + /{usr/,}bin/head rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/date rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/sed rix, + + # To remove the following error: + # .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied + /{usr/,}bin/pgrep rix, + @{PROC}/sys/kernel/osrelease r, + + # Browsers to fetch remote content + /{usr/,}bin/wget rCx -> browse, + /{usr/,}bin/curl rCx -> browse, + /{usr/,}bin/lynx rCx -> browse, + /{usr/,}bin/w3m rCx -> browse, + + # Conky home files + owner @{HOME}/ r, + owner @{HOME}/.conky/ r, + owner @{HOME}/.conky/** rw, + + # Display images (graphic) inside of the conky window + /{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr, + + # Get the PRETTY_NAME name from /etc/os-release link + /etc/ r, + + # Get the kernel version and its architecture via "uname -r" + /{usr/,}bin/uname rix, + + # Display machine's hostname + /etc/hostname r, + + # Display machine's uptime + @{PROC}/uptime r, + + # Get the number of CPU cores + @{sys}/devices/system/cpu/present r, + + # Get the current frequency of the CPU + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, + + # Get load average values for 1, 5 and 15 minutes + @{PROC}/loadavg r, + + # Display processes' status + @{PROC}/ r, + # Get the PID value + @{PROC}/@{pid}/stat r, + # Get the name, %CPU and %RAM values + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/io r, + # Not needed + deny capability sys_ptrace, + deny ptrace (trace, read), + + # Display the hard disk model name + @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/**/model r, + @{sys}/block/sd[a-z]/device/model r, + # Display the disk write/read speed + @{PROC}/diskstats r, + # Get the mount point names + owner @{PROC}/@{pid}/mounts r, + # /etc/mtab r, + + # Display WiFi network status, which includes the following: + # ESSID, AP's MAC, bitrate, signal strength, IP address and down/up speed + @{PROC}/@{pid}/net/dev r, + # Display IPv6 address of an interface + @{PROC}/@{pid}/net/if_inet6 r, + + # Display the number of active TCP/TCP6 connections + @{PROC}/@{pid}/net/tcp{,6} r, + + # Xserver auth cookie for clients + owner @{HOME}/.Xauthority r, + + /dev/shm/#[0-9]*[0-9] rw, + + # Temperatures and Fans + /{usr/,}bin/sensors rPUx, + @{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_input r, + @{sys}/devices/**/hwmon/hwmon[0-9]*/temp[0-9]*_input r, + @{sys}/class/hwmon/ r, + @{PROC}/acpi/ibm/fan r, + + # Display network data transfer status + /{usr/,}bin/vnstat rPUx, + + # Display Secure Boot status + /{usr/,}bin/mokutil rPUx, + + @{PROC}/@{pid}/net/route r, + + owner /tmp/xauth-[0-9]*-_[0-9] r, + + /usr/share/X11/XErrorDB r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile browse { + #include + #include + #include + #include + #include + + /{usr/,}bin/wget mr, + /{usr/,}bin/curl mr, + /{usr/,}bin/lynx mr, + /{usr/,}bin/w3m mr, + + /{usr/,}bin/dash rix, + + /etc/mime.types r, + /etc/mailcap r, + + /etc/lynx/* r, + /etc/wgetrc r, + /etc/w3m/config r, + /etc/w3m/mailcap r, + + owner @{HOME}/.wget-hsts rwk, + owner @{HOME}/.w3m/ rw, + owner @{HOME}/.w3m/** rw, + + owner @{HOME}/.conky/** rw, + + /usr/share/publicsuffix/public_suffix_list.* r, + + # file_inherit + owner /dev/tty[0-9]* rw, + deny @{PROC}/@{pids}/net/dev r, + deny @{PROC}/@{pids}/net/tcp r, + deny @{PROC}/@{pids}/net/tcp6 r, + deny @{PROC}/@{pids}/net/if_inet6 r, + deny @{PROC}/@{pids}/stat r, + deny @{PROC}/diskstats r, + deny @{PROC}/uptime r, + deny @{PROC}/loadavg r, + deny @{PROC}/@{pids}/cmdline r, + deny @{PROC}/@{pids}/io r, + deny @{PROC}/@{pid}/net/route r, + deny @{sys}/devices/**/hwmon/**/temp*_input r, + + } + + #include if exists +} diff --git a/apparmor.d/convertall b/apparmor.d/convertall new file mode 100644 index 00000000..2f87ac53 --- /dev/null +++ b/apparmor.d/convertall @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/convertall /usr/share/convertall/convertall.py +profile convertall @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/python3.[0-9]* rix, + + owner @{HOME}/.convertall rw, + + deny owner @{PROC}/@{pid}/cmdline r, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/convertall/{,**} r, + /usr/share/doc/convertall/{,*} r, + + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + #include if exists +} diff --git a/apparmor.d/cppw-cpgr b/apparmor.d/cppw-cpgr new file mode 100644 index 00000000..3a187bb2 --- /dev/null +++ b/apparmor.d/cppw-cpgr @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/cp{pw,gr} +profile cppw-cpgr @{exec_path} { + #include + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + @{exec_path} mr, + + /etc/{passwd,shadow,gshadow,group} rw, + /etc/{passwd,shadow,gshadow,group}.@{pid} rw, + /etc/{passwd,shadow,gshadow,group}.new rw, + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/shadow.lock wl -> /etc/shadow.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + /etc/group.lock wl -> /etc/group.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + # Source of the files to be replaced + owner /root/* r, + + #include if exists +} diff --git a/apparmor.d/cpuid b/apparmor.d/cpuid new file mode 100644 index 00000000..b643d96f --- /dev/null +++ b/apparmor.d/cpuid @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/cpuid +profile cpuid @{exec_path} { + #include + + capability mknod, + + @{exec_path} mr, + + /dev/cpu/[0-9]*/cpuid r, + + owner /tmp/cpuid* rw, + + #include if exists +} diff --git a/apparmor.d/cpupower b/apparmor.d/cpupower new file mode 100644 index 00000000..851c638a --- /dev/null +++ b/apparmor.d/cpupower @@ -0,0 +1,64 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/cpupower +profile cpupower @{exec_path} { + #include + + # Needed to read the /dev/cpu/[0-9]*/msr device, and hence remove the following error: + # Could not read perf-bias value[-1] + capability sys_rawio, + + # Needed to operate on CPU IDLE states + capability sys_admin, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/man rPx, + + @{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r, + @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, + @{sys}/devices/system/cpu/cpu[0-9]*/{cpufreq,cpuidle}/ r, + @{sys}/devices/system/cpu/cpu[0-9]*/{cpufreq,cpuidle}/** r, + + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{min,max}_freq rw, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_setspeed rw, + @{sys}/devices/system/cpu/cpu[0-9]*/cpuidle/state[0-9]/disable rw, + + @{sys}/devices/system/cpu/cpu[0-9]*/topology/{physical_package_id,core_id} r, + + @{sys}/devices/system/cpu/cpu[0-9]*/online r, + + /dev/cpu/[0-9]*/msr r, + + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + @{PROC}/cmdline r, + #@{PROC}/modules r, + + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + } + + #include if exists +} diff --git a/apparmor.d/crda b/apparmor.d/crda new file mode 100644 index 00000000..ce72d7b0 --- /dev/null +++ b/apparmor.d/crda @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/crda +profile crda @{exec_path} { + #include + + # For "iw reg set PL" + capability net_admin, + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/cron b/apparmor.d/cron new file mode 100644 index 00000000..8ad7acbe --- /dev/null +++ b/apparmor.d/cron @@ -0,0 +1,127 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/cron +profile cron @{exec_path} { + #include + #include + #include + #include + + capability setuid, + capability setgid, + capability dac_read_search, + capability audit_write, + capability sys_resource, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, + + /etc/crontab r, + + # All stuff that is executed via the /etc/cron.d/ dir + /etc/cron.d/{,*} r, + /{usr/,}sbin/cron-apt rPx, + /{usr/,}bin/debsecan rPx, + /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, + /{usr/,}sbin/e2scrub_all rPUx, + /etc/cron.daily/popularity-contest rPx, + /usr/local/bin/update-blacklist.sh rPUx, + /{usr/,}lib/sysstat/debian-sa1 rPUx, + + # All stuff that is executed via the user crontab files + /{usr/,}bin/apt-file rPx, + /{usr/,}bin/apt-key rPx, + /{usr/,}bin/rsync rPUx, + /usr/share/rsync/scripts/rrsync rPUx, + /{usr/,}bin/gpg rPx, + /{usr/,}sbin/update-pciids rPx, + + # Cron scripts in the /etc/cron.*/ dir to execute + /{usr/,}bin/run-parts rCx -> run-parts, + + # Send results using email + /{usr/,}sbin/exim4 rPx, + + /var/spool/cron/crontabs/{,*} r, + + owner /{,var/}run/crond.pid rwk, + owner /{,var/}run/crond.reboot rw, + + owner /tmp/#[0-9]*[0-9] rw, + + owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/loginuid rw, + + /etc/environment r, + + /etc/default/locale r, + + @{PROC}/1/limits r, + /etc/security/limits.d/ r, + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/cron.hourly/ r, + + /etc/cron.daily/ r, + /etc/cron.daily/apt-listbugs rPx, + /etc/cron.daily/apt-show-versions rPx, + /etc/cron.daily/bsdmainutils rPUx, + /etc/cron.daily/debtags rPUx, + /etc/cron.daily/exim4-base rPUx, + /etc/cron.daily/logrotate rPx, + /etc/cron.daily/mlocate rPx, + /etc/cron.daily/dlocate rPx, + /etc/cron.daily/passwd rPUx, + /etc/cron.daily/apt-compat rPUx, + /etc/cron.daily/aptitude rPx, + /etc/cron.daily/debsums rPx, + /etc/cron.daily/dpkg rPUx, + /etc/cron.daily/man-db rPUx, + /etc/cron.daily/popularity-contest rPx, + /etc/cron.daily/sysstat rPx, + /etc/cron.daily/spamassassin rPUx, + + #/etc/cron.daily/opera-browser rPUx, + #/etc/cron.daily/google-chrome{,-beta,-unstable} rPUx, + #/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx, + #/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx, + #/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx, + + /etc/cron.monthly/ r, + /etc/cron.monthly/debsums rPx, + /etc/cron.monthly/vrms rPUx, + + /etc/cron.weekly/ r, + /etc/cron.weekly/apt-xapian-index rPx, + /etc/cron.weekly/debsums rPx, + /etc/cron.weekly/man-db rPUx, + /etc/cron.weekly/tor rPUx, + + # file_inherit + owner /tmp/#[0-9]*[0-9] rw, + + #include if exists + } + + #include if exists +} diff --git a/apparmor.d/cron-apt b/apparmor.d/cron-apt new file mode 100644 index 00000000..11e494b9 --- /dev/null +++ b/apparmor.d/cron-apt @@ -0,0 +1,92 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/cron-apt +profile cron-apt @{exec_path} { + #include + #include + + # Needed? + capability setgid, + + @{exec_path} r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/dotlockfile rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/diff rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/date rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/cksum rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sleep rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/fold rix, + + /{usr/,}bin/apt-get rPx, + /{usr/,}bin/apt-file rPx, + /{usr/,}bin/aptitude{,-curses} rPx, + /{usr/,}sbin/exim4 rPx, + + /usr/share/cron-apt/{,*} r, + + /etc/cron-apt/{,*/} r, + /etc/cron-apt/config r, + /etc/cron-apt/refrain r, + /etc/cron-apt/action.d/[0-9]-* r, + + /var/lib/cron-apt/{,**/} w, + /var/lib/cron-apt/.lk@{pid}* rw, + /var/lib/cron-apt/lockfile rwl -> /var/lib/cron-apt/.lk@{pid}*, + /var/lib/cron-apt/_-_etc_-_cron-apt_-_config/mailchanges/[0-9]-*-[0-9a-f]* rw, + + # Logs + /var/log/cron-apt/ r, + /var/log/cron-apt/error w, + /var/log/cron-apt/temp rw, + /var/log/cron-apt/mail rw, + /var/log/cron-apt/lastfullmessage rw, + + # For the "ls" command + /{usr/,}lib/locale/locale-archive r, + + # TMP + owner /tmp/cron-apt.*/ rw, + owner /tmp/cron-apt.*/difftemp rw, + owner /tmp/cron-apt.*/lockfile rw, + owner /tmp/cron-apt.*/initlog rw, + owner /tmp/cron-apt.*/status rw, + owner /tmp/cron-apt.*/run{log,error,mail,syslog} rw, + owner /tmp/cron-apt.*/action{log,error,mail,syslog} rw, + + # file_inherit + owner /tmp/#[0-9]*[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/cron-apt-listbugs b/apparmor.d/cron-apt-listbugs new file mode 100644 index 00000000..0ee72b1d --- /dev/null +++ b/apparmor.d/cron-apt-listbugs @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.daily/apt-listbugs +profile cron-apt-listbugs @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean, + + /{var/,}run/systemd/system r, + + + profile prefclean { + #include + + /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr, + + /{usr/,}bin/dash r, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/cat rix, + + /var/spool/apt-listbugs/lastprefclean rw, + + } + + #include if exists +} diff --git a/apparmor.d/cron-apt-show-versions b/apparmor.d/cron-apt-show-versions new file mode 100644 index 00000000..2e74b256 --- /dev/null +++ b/apparmor.d/cron-apt-show-versions @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.daily/apt-show-versions +profile cron-apt-show-versions @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/apt-show-versions rPx, + + #include if exists +} diff --git a/apparmor.d/cron-apt-xapian-index b/apparmor.d/cron-apt-xapian-index new file mode 100644 index 00000000..bc953c31 --- /dev/null +++ b/apparmor.d/cron-apt-xapian-index @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.weekly/apt-xapian-index +profile cron-apt-xapian-index @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/which rix, + /{usr/,}bin/{,e}grep rix, + + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, + + /{usr/,}sbin/update-apt-xapian-index rPx, + /{usr/,}sbin/on_ac_power rPx, + + #include if exists +} diff --git a/apparmor.d/cron-aptitude b/apparmor.d/cron-aptitude new file mode 100644 index 00000000..7479cc59 --- /dev/null +++ b/apparmor.d/cron-aptitude @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.daily/aptitude +profile cron-aptitude @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + + /{usr/,}bin/savelog rix, + /{usr/,}bin/cmp rix, + + /{usr/,}bin/gzip rix, + + /var/lib/aptitude/pkgstates r, + + /var/backups/ r, + /var/backups/* rw, + + #include if exists +} diff --git a/apparmor.d/cron-debsums b/apparmor.d/cron-debsums new file mode 100644 index 00000000..6859e7ab --- /dev/null +++ b/apparmor.d/cron-debsums @@ -0,0 +1,51 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.{daily,weekly,monthly}/debsums +profile cron-debsums @{exec_path} { + #include + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/true rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/{,e}grep rix, + + /{usr/,}bin/ionice rix, + + /{usr/,}bin/debsums rPx, + /{usr/,}bin/tee rCx -> tee, + + /etc/default/debsums r, + /etc/debsums-ignore r, + + + profile tee { + #include + #include + + # Needed to write to /proc/self/fd/3 + capability dac_override, + + /{usr/,}bin/tee mr, + + owner @{PROC}/@{pid}/fd/3 rw, + + } + + #include if exists +} diff --git a/apparmor.d/cron-dlocate b/apparmor.d/cron-dlocate new file mode 100644 index 00000000..3ff31343 --- /dev/null +++ b/apparmor.d/cron-dlocate @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.daily/dlocate +profile cron-dlocate @{exec_path} { + #include + + @{exec_path} mr, + /{usr/,}bin/dash rix, + + /{usr/,}sbin/update-dlocatedb rPx, + + #include if exists +} diff --git a/apparmor.d/cron-ipset-autoban-save b/apparmor.d/cron-ipset-autoban-save new file mode 100644 index 00000000..0b57f403 --- /dev/null +++ b/apparmor.d/cron-ipset-autoban-save @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.hourly/ipset_autoban_save +profile cron-ipset-autoban-save @{exec_path} { + #include + #include + + @{exec_path} r, + + /{usr/,}bin/bash rix, + + /{usr/,}sbin/ipset rix, + + /etc/peerblock/autoban rw, + + #include if exists +} diff --git a/apparmor.d/cron-logrotate b/apparmor.d/cron-logrotate new file mode 100644 index 00000000..5578e61a --- /dev/null +++ b/apparmor.d/cron-logrotate @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.daily/logrotate +profile cron-logrotate @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}sbin/logrotate rPx, + + /{usr/,}bin/logger rix, + + #include if exists +} diff --git a/apparmor.d/cron-mlocate b/apparmor.d/cron-mlocate new file mode 100644 index 00000000..3a677dd1 --- /dev/null +++ b/apparmor.d/cron-mlocate @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.daily/mlocate +profile cron-mlocate @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash rix, + + /{usr/,}bin/which rix, + /{usr/,}bin/true rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/nocache rix, + /{usr/,}bin/ionice rix, + /{usr/,}bin/nice rix, + + /{usr/,}bin/updatedb.mlocate rPx, + /{usr/,}sbin/on_ac_power rPx, + + /{var/,}run/mlocate.daily.lock rwk, + + #include if exists +} diff --git a/apparmor.d/cron-popularity-contest b/apparmor.d/cron-popularity-contest new file mode 100644 index 00000000..985b85a9 --- /dev/null +++ b/apparmor.d/cron-popularity-contest @@ -0,0 +1,149 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/cron.daily/popularity-contest +profile cron-popularity-contest @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}sbin/popularity-contest rPx, + + /{usr/,}bin/logger rix, + /{usr/,}bin/date rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/setsid rix, + + # To send reports via TOR + /{usr/,}bin/torify rix, + /{usr/,}bin/torsocks rix, + /{usr/,}sbin/getcap rix, + + /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}sbin/runuser rCx -> runuser, + /{usr/,}bin/savelog rCx -> savelog, + + /usr/share/popularity-contest/default.conf r, + + /etc/popularity-contest.conf r, + + /var/log/popularity-contest{,.new} rw, + /var/log/popularity-contest{,.new}.gpg rw, + + # Store last successful http submission timestamp + /var/lib/popularity-contest/ rw, + /var/lib/popularity-contest/lastsub rw, + + owner /tmp/tmp.*/ rw, + owner /tmp/tmp.*/random_seed w, + + # file_inherit + owner /tmp/#[0-9]*[0-9] rw, + + + profile savelog { + #include + + /{usr/,}bin/savelog mr, + + /{usr/,}bin/date rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/gzip rix, + + /{usr/,}bin/dash r, + + /var/log/ r, + /var/log/popularity-contest.[0-9]*.gz rw, + /var/log/popularity-contest.[0-9]* rw, + /var/log/popularity-contest rw, + + # file_inherit + owner /tmp/#[0-9]*[0-9] rw, + + } + + profile runuser { + #include + #include + #include + #include + + /{usr/,}sbin/runuser mr, + + /{usr/,}bin/dash rix, + + /{usr/,}sbin/popularity-contest rPx, + + owner @{PROC}/@{pids}/loginuid r, + @{PROC}/1/limits r, + + /etc/security/limits.d/ r, + + /var/log/popularity-contest.new w, + + # file_inherit + owner /tmp/#[0-9]*[0-9] rw, + + } + + profile gpg { + #include + #include + + /{usr/,}bin/gpg mr, + + /usr/share/popularity-contest/debian-popcon.gpg r, + + /var/log/popularity-contest.new r, + /var/log/popularity-contest.new.gpg rw, + + owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**, + + # file_inherit + owner /tmp/#[0-9]*[0-9] rw, + + } + + profile popcon-upload { + #include + #include + #include + + /usr/share/popularity-contest/popcon-upload r, + /{usr/,}bin/perl r, + + /{usr/,}bin/gzip rix, + + /var/log/ r, + /var/log/popularity-contest.new.gpg r, + + # file_inherit + owner /tmp/#[0-9]*[0-9] rw, + + } + + #include if exists +} diff --git a/apparmor.d/crontab b/apparmor.d/crontab new file mode 100644 index 00000000..493a6860 --- /dev/null +++ b/apparmor.d/crontab @@ -0,0 +1,66 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/crontab +profile crontab @{exec_path} { + #include + #include + #include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + # When editing the crontab file + /{usr/,}bin/sensible-editor rCx -> editor, + /{usr/,}bin/vim.* rCx -> editor, + + /var/spool/cron/ r, + /var/spool/cron/crontabs/ rw, + owner /var/spool/cron/crontabs/* rw, + + owner /tmp/crontab.*/{,crontab} rw, + + + profile editor { + #include + #include + + capability fsetid, + + /{usr/,}bin/sensible-editor mr, + /{usr/,}bin/vim.* mrix, + /{usr/,}bin/dash rix, + /{usr/,}bin/which rix, + + owner @{HOME}/.selected_editor r, + + /usr/share/vim/{,**} r, + /etc/vim/{,**} r, + owner @{HOME}/.viminfo{,.tmp} rw, + + owner @{HOME}/.fzf/plugin/ r, + owner @{HOME}/.fzf/plugin/fzf.vim r, + + /tmp/ r, + owner /tmp/crontab.*/crontab rw, + + } + + #include if exists +} diff --git a/apparmor.d/curl b/apparmor.d/curl new file mode 100644 index 00000000..ecd4b535 --- /dev/null +++ b/apparmor.d/curl @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/curl +profile curl @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /usr/share/publicsuffix/public_suffix_list.* r, + + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/net/tcp{,6} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/diskstats r, + @{PROC}/uptime r, + @{PROC}/loadavg r, + + #include if exists +} diff --git a/apparmor.d/dbus-daemon b/apparmor.d/dbus-daemon new file mode 100644 index 00000000..2c319bd7 --- /dev/null +++ b/apparmor.d/dbus-daemon @@ -0,0 +1,51 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dbus-daemon +profile dbus-daemon @{exec_path} { + #include + #include + + capability setgid, + capability setuid, + capability sys_resource, + + signal (receive) set=(term, kill), + + @{exec_path} mr, + + /usr/libexec/* rPUx, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pids}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + + /usr/share/dbus-1/ r, + /usr/share/dbus-1/** r, + /etc/dbus-1/ r, + /etc/dbus-1/** r, + + /usr/share/defaults/**.conf r, + + /{var/,}run/systemd/users/[0-9]* r, + owner /{var/,}run/user/[0-9]*/dbus-1/ rw, + owner /{var/,}run/user/[0-9]*/dbus-1/services/ rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/dconf-editor b/apparmor.d/dconf-editor new file mode 100644 index 00000000..dbe45ef7 --- /dev/null +++ b/apparmor.d/dconf-editor @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dconf-editor +profile dconf-editor @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + owner /{var/,}run/user/[0-9]*/dconf/ rw, + owner /{var/,}run/user/[0-9]*/dconf/user rw, + + # When GSETTINGS_BACKEND=keyfile + owner @{HOME}/.config/glib-2.0/ rw, + owner @{HOME}/.config/glib-2.0/settings/ rw, + owner @{HOME}/.config/glib-2.0/settings/keyfile rw, + owner @{HOME}/.config/glib-2.0/settings/.goutputstream-* rw, + + /usr/share/glib-2.0/schemas/{,*} r, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/dconf-service b/apparmor.d/dconf-service new file mode 100644 index 00000000..64006b68 --- /dev/null +++ b/apparmor.d/dconf-service @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/dconf/dconf-service /usr/libexec/dconf-service +profile dconf-service @{exec_path} { + #include + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + owner /{,var/}run/user/[0-9]*/dconf/ rw, + owner /{,var/}run/user/[0-9]*/dconf/user rw, + + owner @{HOME}/.config/dconf/ rw, + owner @{HOME}/.config/dconf/user{,.*} rw, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/dconf/ rw, + owner @{HOME}/.cache/dconf/user rw, + + @{PROC}/cmdline r, + + #include if exists +} diff --git a/apparmor.d/ddclient b/apparmor.d/ddclient new file mode 100644 index 00000000..391b865f --- /dev/null +++ b/apparmor.d/ddclient @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/ddclient +profile ddclient @{exec_path} { + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/logger rix, + + /etc/ddclient.conf r, + + /{,var/}run/ddclient.pid rw, + + /var/cache/ddclient/ddclient.cache rw, + + / r, + + #include if exists +} diff --git a/apparmor.d/debconf-apt-progress b/apparmor.d/debconf-apt-progress new file mode 100644 index 00000000..40140201 --- /dev/null +++ b/apparmor.d/debconf-apt-progress @@ -0,0 +1,58 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/debconf-apt-progress +profile debconf-apt-progress @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/apt-get rPx, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + + profile frontend flags=(complain) { + #include + #include + #include + #include + + /usr/share/debconf/frontend r, + /{usr/,}bin/perl r, + + /{usr/,}bin/debconf-apt-progress rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + /{usr/,}bin/whiptail rPx, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + /etc/shadow r, + + } + + #include if exists +} diff --git a/apparmor.d/debconf-show b/apparmor.d/debconf-show new file mode 100644 index 00000000..9ce4281d --- /dev/null +++ b/apparmor.d/debconf-show @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/debconf-show +profile debconf-show @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/locale rix, + + /etc/debconf.conf r, + + /var/cache/debconf/{config,passwords,templates}.dat r, + + /etc/shadow r, + + #include if exists +} diff --git a/apparmor.d/deborphan b/apparmor.d/deborphan new file mode 100644 index 00000000..9867f070 --- /dev/null +++ b/apparmor.d/deborphan @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/deborphan +profile deborphan @{exec_path} { + #include + + @{exec_path} mr, + + /var/lib/deborphan/keep rw, + + /var/lib/dpkg/status r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.synaptic/selections.{update,proceed} w, + + #include if exists +} + + + + + diff --git a/apparmor.d/debsecan b/apparmor.d/debsecan new file mode 100644 index 00000000..effe7a62 --- /dev/null +++ b/apparmor.d/debsecan @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/debsecan +profile debsecan @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + + # Send results using email + /{usr/,}sbin/exim4 rPx, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /etc/default/debsecan rw, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/dpkg/status r, + + /var/lib/debsecan/history{,.*} rw, + + owner @{PROC}/@{pid}/fd/ r, + + # file_inherit + /tmp/#[0-9]*[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/debsign b/apparmor.d/debsign new file mode 100644 index 00000000..e6cd4204 --- /dev/null +++ b/apparmor.d/debsign @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/debsign +profile debsign @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/mktemp rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/head rix, + /{usr/,}bin/cu rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/cmp rix, + + /{usr/,}bin/md5sum rix, + /{usr/,}bin/sha{1,256,512}sum rix, + + /{usr/,}bin/perl rix, + + /etc/devscripts.conf r, + owner @{HOME}/.devscripts r, + + # For package building + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + owner /tmp/debsign.*/ rw, + owner /tmp/debsign.*/*.{dsc,changes,buildinfo}{,.asc} rw, + + + /{usr/,}bin/gpg rCx -> gpg, + profile gpg { + #include + + /{usr/,}bin/gpg mr, + + owner @{HOME}/.gnupg/ r, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + owner /tmp/debsign.*/*.{dsc,changes,buildinfo} r, + owner /tmp/debsign.*/*.{dsc,changes,buildinfo}.asc rw, + + } + + #include if exists +} diff --git a/apparmor.d/debsums b/apparmor.d/debsums new file mode 100644 index 00000000..9299d382 --- /dev/null +++ b/apparmor.d/debsums @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/debsums +profile debsums @{exec_path} { + #include + #include + + # Needed to read files owned by other users than root. + capability dac_read_search, + + @{exec_path} r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/gawk rix, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + /var/lib/dpkg/info/* r, + + /etc/locale.nopurge r, + + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, + + # Scanning files + /{usr/,}bin/{,*} r, + /{usr/,}sbin/{,*} r, + /usr/{,**} r, + /etc/{,**} r, + /var/lib/{,**} r, + /opt/{,**} r, + /boot/{,**} r, + + #include if exists +} diff --git a/apparmor.d/debtags b/apparmor.d/debtags new file mode 100644 index 00000000..5b2dcb3c --- /dev/null +++ b/apparmor.d/debtags @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/debtags +profile debtags @{exec_path} { + #include + #include + #include + #include + + #capability sys_tty_config, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + owner @{PROC}/@{pid}/fd/ r, + + /usr/share/debtags/vocabulary r, + /var/lib/debtags/vocabulary rw, + /var/lib/debtags/package-tags rw, + /var/lib/debtags/tmp* rw, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + # file_inherit + /var/log/cron-apt/temp w , + + #include if exists +} diff --git a/apparmor.d/debuild b/apparmor.d/debuild new file mode 100644 index 00000000..52634516 --- /dev/null +++ b/apparmor.d/debuild @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/debuild +profile debuild @{exec_path} flags=(complain) { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/tee rix, + + /{usr/,}bin/dpkg-architecture rPx, + /{usr/,}bin/dpkg-buildpackage rPx, + /{usr/,}bin/debsign rPx, + + /usr/share/lintian/bin/lintian rPx, + /{usr/,}bin/lintian rPx, + + /etc/devscripts.conf r, + + /etc/dpkg/origins/debian r, + + # For package building + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + #include if exists +} diff --git a/apparmor.d/deluser b/apparmor.d/deluser new file mode 100644 index 00000000..bf7cb4fa --- /dev/null +++ b/apparmor.d/deluser @@ -0,0 +1,67 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/del{user,group} +profile deluser @{exec_path} { + #include + #include + #include + #include + + # The deluser command is issued as root and its task is to delete regular user accounts. It + # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup. + # Because of that, the deluser command needs the following CAPs to be able to do so. + capability dac_read_search, + capability dac_override, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + + /{usr/,}sbin/userdel rPx, + /{usr/,}sbin/groupdel rPx, + /{usr/,}bin/gpasswd rPx, + + /{usr/,}bin/crontab rPx, + + /{usr/,}bin/mount rCx -> mount, + + /etc/adduser.conf r, + /etc/deluser.conf r, + + owner /etc/shadow r, + + # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user + # that's going to be deleted. Basically it scans all the files in the system in each dir and look + # for matches. This also includes files required by the "--remove-home" flag as well as the + # "--backup" and --backup-to flags. + / r, + /** rw, + + + profile mount { + #include + + /{usr/,}bin/mount mr, + + @{PROC}/@{pid}/mountinfo r, + + @{sys}/devices/virtual/block/**/name r, + + } + + #include if exists +} diff --git a/apparmor.d/df b/apparmor.d/df new file mode 100644 index 00000000..e0fb0983 --- /dev/null +++ b/apparmor.d/df @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/df +profile df @{exec_path} { + #include + + capability dac_read_search, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mountinfo r, + + # For dir stats + / r, + /**/ r, + + #include if exists +} diff --git a/apparmor.d/dfc b/apparmor.d/dfc new file mode 100644 index 00000000..130797a0 --- /dev/null +++ b/apparmor.d/dfc @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dfc +profile dfc @{exec_path} { + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + owner @{HOME}/.config/dfc/dfcrc r, + owner @{HOME}/.dfcrc r, + + #include if exists +} diff --git a/apparmor.d/dh b/apparmor.d/dh new file mode 100644 index 00000000..9990e066 --- /dev/null +++ b/apparmor.d/dh @@ -0,0 +1,76 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/dh +@{exec_path} += /{usr/,}bin/dh_* +profile dh @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dh_* rix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/make rix, + /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mkdir rix, + + # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#) + owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules, + owner @{BUILD_DIR}/** rcx -> debian-rules, + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + /etc/dpkg/origins/debian r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + owner @{HOME}/.config/dpkg/buildflags.conf r, + + /usr/share/dpkg/* r, + + + profile debian-rules flags=(complain) { + #include + + owner @{BUILD_DIR}/**/debian/rules rix, + owner @{BUILD_DIR}/** rix, + owner @{BUILD_DIR}/** rwkl -> /media/debuilder/*/**, + + /{usr/,}bin/dash rix, + /{usr/,}bin/make rix, + + # Don't strip env here + /{usr/,}bin/* rpux, + + /usr/share/dpkg/* r, + + / r, + /usr/include/{,**} r, + + # Key to sign the kernel and its modules + /etc/kernel_key/* r, + + owner /tmp/cpiolist.* rw, + + } + + #include if exists +} diff --git a/apparmor.d/dhclient b/apparmor.d/dhclient new file mode 100644 index 00000000..a4977591 --- /dev/null +++ b/apparmor.d/dhclient @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/dhclient +profile dhclient @{exec_path} { + #include + #include + #include + + # To remove the following errors: + # dhclient[]: Open a socket for LPF: Operation not permitted + capability net_raw, + + # To remove the following errors: + # dhclient[]: Can't bind to dhcp address: Permission denied + capability net_bind_service, + + # Needed? + #capability net_admin, + audit deny capability sys_module, + + @{exec_path} mr, + + # To run dhclient scripts + /{usr/,}sbin/dhclient-script rPx, + + /etc/dhclient.conf r, + /etc/dhcp/{,**} r, + + /var/lib/dhcp{,3}/dhclient* rw, + owner /{,var/}run/dhclient*.pid rw, + owner /{,var/}run/dhclient*.lease* rw, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + #include if exists +} diff --git a/apparmor.d/dhclient-script b/apparmor.d/dhclient-script new file mode 100644 index 00000000..3497a24d --- /dev/null +++ b/apparmor.d/dhclient-script @@ -0,0 +1,105 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/dhclient-script +profile dhclient-script @{exec_path} { + #include + #include + #include + #include + + # Needed? + audit deny capability sys_module, + + @{exec_path} mr, + + /{usr/,}bin/dash mrix, + + /{usr/,}bin/ping rPx, + /{usr/,}bin/run-parts rCx -> run-parts, + + # To remove the following error: + # /sbin/dhclient-script: 133: hostname: Permission denied + /{usr/,}bin/hostname rPx, + + # To read scripts + /etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r, + + # For debug script + /{usr/,}bin/date rix, + /etc/dhcp/debug r, + owner /tmp/dhclient-script.debug rw, + + # For ddclient script + /{usr/,}sbin/ddclient rPx, + /etc/default/ddclient r, + /{usr/,}bin/logger rix, + + # For samba script + /{usr/,}bin/mv rix, + /etc/samba/dhcp.conf{,.new} rw, + # For netbios name servers settings from a DHCP server + /var/lib/samba/dhcp.conf{,.new} rw, + + # Many scripts may use the ip tool + capability net_admin, + /{usr/,}bin/ip rix, + + # For loadbalance + /etc/iproute2/rt_tables r, + /etc/iproute2/rt_tables.d/{,*} r, + owner @{PROC}/@{pid}/loginuid r, + + # For updating the /etc/resolv.conf file + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/sed rix, + /etc/fstab r, + /etc/resolv.conf.dhclient-new.@{pid} rw, + /etc/resolv.conf rw, + + # For stable-privacy addresses + /{usr/,}sbin/sysctl rix, + /{usr/,}bin/head rix, + /{usr/,}bin/xxd rix, + /{usr/,}bin/paste rix, + /{usr/,}bin/fold rix, + /{usr/,}bin/tr rix, + @{PROC}sys/net/ipv6/conf/*/stable_secret w, + + # For printing env + /{usr/,}bin/printenv rix, + owner /tmp/variables.txt w, + + # file_inherit + /var/lib/dhcp/dhclient.leases r, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/dhcp/dhclient-{enter,exit}-hooks.d/ r, + + # file_inherit + owner /var/lib/dhcp/dhclient.leases r, + + } + + #include if exists +} diff --git a/apparmor.d/dig b/apparmor.d/dig new file mode 100644 index 00000000..9f96c499 --- /dev/null +++ b/apparmor.d/dig @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dig +profile dig @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + owner @{HOME}/.digrc r, + + #include if exists +} diff --git a/apparmor.d/dirmngr b/apparmor.d/dirmngr new file mode 100644 index 00000000..06355628 --- /dev/null +++ b/apparmor.d/dirmngr @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dirmngr +profile dirmngr @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/dirmngr.conf r, + owner @{HOME}/.gnupg/dirmngr_ldapservers.conf r, + owner @{HOME}/.gnupg/crls.d/ rw, + owner @{HOME}/.gnupg/crls.d/DIR.txt rw, + + /usr/share/gnupg/sks-keyservers.netCA.pem r, + + owner /{var/,}run/user/[0-9]*/gnupg/ rw, + owner /{var/,}run/user/[0-9]*/gnupg/S.dirmngr rw, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + #include if exists +} diff --git a/apparmor.d/discord b/apparmor.d/discord new file mode 100644 index 00000000..18904ec0 --- /dev/null +++ b/apparmor.d/discord @@ -0,0 +1,205 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{DISCORD_LIBDIR} = /usr/share/discord +@{DISCORD_HOMEDIR} = @{HOME}/.config/discord +@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord + +@{exec_path} = @{DISCORD_LIBDIR}/Discord /{usr/,}bin/discord +profile discord @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(kill, term) peer=@{profile_name}//lsb_release, + + # Needed for Game Activity + deny capability sys_ptrace, + deny ptrace (read), + + @{exec_path} mrix, + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/xdg-open rCx -> open, + #/{usr/,}bin/lsb_release rCx -> lsb_release, + #/{usr/,}bin/xdg-mime rCx -> xdg-mime, + deny /{usr/,}bin/lsb_release mrx, + deny /{usr/,}bin/xdg-mime mrx, + + @{DISCORD_LIBDIR}/ r, + @{DISCORD_LIBDIR}/** r, + # @{DISCORD_LIBDIR}/**.so mr, + # @{DISCORD_LIBDIR}/libEGL.so mr, + # @{DISCORD_LIBDIR}/libGLESv2.so mr, + # To remove the following error: + # discord-canary: error while loading shared libraries: libffmpeg.so: cannot open shared object + # file: No such file or directory + @{DISCORD_LIBDIR}/libffmpeg.so mr, + # @{DISCORD_LIBDIR}/swiftshader/libEGL.so mr, + # @{DISCORD_LIBDIR}/swiftshader/libGLESv2.so mr, + @{DISCORD_LIBDIR}/chrome-sandbox rPx, + + owner @{DISCORD_HOMEDIR}/ rw, + owner @{DISCORD_HOMEDIR}/** rwk, + owner @{DISCORD_HOMEDIR}/[0-9]*/modules/discord_[a-z]*/*.node mrwk, + owner @{DISCORD_HOMEDIR}/[0-9]*/modules/discord_[a-z]*/lib*.so.[0-9] mrw, + + # Reading of the /proc/ dir is needed to start discord. + # Otherwise it returns the following error: + # [:FATAL:proc_util.cc(36)] : Permission denied (13) + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + deny @{PROC}/vmstat r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pids}/task/ r, + deny owner @{PROC}/@{pids}/task/@{tid}/status r, + deny @{PROC}/@{pids}/stat r, + deny owner @{PROC}/@{pids}/statm r, + deny @{PROC}/@{pids}/cmdline r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + # To avoid the following error: + # kernel: traps: Discord[] trap int3 ip:7fa5b7541885 sp:7ffff5539c40 error:0 + # in libglib-2.0.so.0.6000.6[7fa5b7508000+80000] + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + deny @{sys}/devices/virtual/tty/tty[0-9]/active r, + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + @{sys}/devices/pci[0-9]*/**/irq r, + + deny /dev/ r, + deny /dev/shm/ rw, + owner /dev/shm/.org.chromium.Chromium.* rw, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/net-export/ rw, + owner /tmp/discord.sock rw, + owner /tmp/.org.chromium.Chromium.*/ rw, + owner /tmp/.org.chromium.Chromium.*/discord1_[0-9]*.png rw, + owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw, + owner /tmp/.org.chromium.Chromium.*/SS rw, + owner "/tmp/Discord Crashes/" rw, + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + owner /{var/,}run/user/[0-9]*/discord-ipc-[0-9] rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile xdg-mime { + #include + #include + + /{usr/,}bin/xdg-mime mr, + + /{usr/,}bin/dash r, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/head rix, + /{usr/,}bin/sed rix, + + # file_inherit + /usr/share/discord/** r, + owner /dev/shm/.org.chromium.Chromium.* rw, + owner @{HOME}/.config/discord/GPUCache/data_[0-9] rw, + owner @{HOME}/.config/discord/*/modules/discord_desktop_core/core.asar r, + owner @{HOME}/.config/discord/GPUCache/index rw, + + } + + profile lsb_release { + #include + #include + #include + + signal (receive) set=(kill, term) peer=discord, + + /{usr/,}bin/lsb_release r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/apt-cache rPx, + + owner @{PROC}/@{pid}/fd/ r, + + /etc/debian_version r, + /etc/dpkg/origins/debian r, + /usr/share/distro-info/debian.csv r, + + # file_inherit + deny /usr/share/discord/** r, + deny owner /dev/shm/.org.chromium.Chromium.* rw, + deny owner @{HOME}/.config/discord/GPUCache/data_[0-9] rw, + deny owner @{HOME}/.config/discord/*/modules/discord_desktop_core/core.asar r, + deny owner @{HOME}/.config/discord/GPUCache/index rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/discord-chrome-sandbox b/apparmor.d/discord-chrome-sandbox new file mode 100644 index 00000000..b839c189 --- /dev/null +++ b/apparmor.d/discord-chrome-sandbox @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{DISCORD_LIBDIR} = /usr/share/discord +@{DISCORD_HOMEDIR} = @{HOME}/.config/discord +@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord + +@{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox + +profile discord-chrome-sandbox @{exec_path} { + #include + #include + + # For kernel unprivileged user namespaces + capability sys_admin, + capability sys_chroot, + capability setuid, + capability setgid, + + # optional + capability sys_resource, + + @{exec_path} mr, + + # Do not strip env to avoid errors like the following: + # /usr/share/discord/Discord: error while loading shared libraries: libffmpeg.so: cannot open + # shared object file: No such file or directory + # [1] 777862 trace trap discord + @{DISCORD_LIBDIR}/Discord rpx, + + @{PROC}/@{pids}/ r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + #include if exists +} diff --git a/apparmor.d/dkms b/apparmor.d/dkms new file mode 100644 index 00000000..1b0024db --- /dev/null +++ b/apparmor.d/dkms @@ -0,0 +1,112 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/dkms +profile dkms @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + + /{usr/,}bin/head rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/diff rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/find rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/dash rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/getconf rix, + /{usr/,}bin/xargs rix, + + /{usr/,}bin/make rix, + /{usr/,}bin/{,@{multiarch}-}* rix, + /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, + + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + + /{usr/,}lib/linux-kbuild-*/scripts/** rix, + capability setuid, + capability setgid, + /proc/sys/kernel/osrelease r, + /usr/lib/linux-kbuild-*/tools/objtool/objtool rix, + + / r, + /{usr/,}lib/modules/*/updates/ rw, + /{usr/,}lib/modules/*/updates/dkms/ rw, + /{usr/,}lib/modules/*/updates/dkms/*.ko rw, + + /var/lib/dkms/ r, + /var/lib/dkms/** rw, + + /etc/dkms/{,**} r, + + # For building module in /usr/src/ subdirs + /usr/src/** rw, + /usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr, + /usr/src/linux-headers-*/scripts/** rix, + /usr/src/linux-headers-*/tools/** rix, + /usr/include/**.h r, + + # For autosign modules + owner /etc/kernel_key/sign-kernel.sh rix, + owner /etc/kernel_key/*.key r, + owner /etc/kernel_key/*.crt r, + + owner @{HOME}/ r, + + owner /tmp/cc*.s rw, + owner /tmp/dkms.*/ rw, + owner /tmp/tmp.* rw, + owner /tmp/sh-thd.* rw, + + owner @{PROC}/@{pid}/fd/ r, + + + profile kmod { + #include + #include + + /{usr/,}bin/kmod mr, + + @{PROC}/cmdline r, + + /{usr/,}lib/modules/*/modules.* rw, + /var/lib/dkms/**/module/*.ko r, + + owner /boot/System.map-* r, + + } + + #include if exists +} diff --git a/apparmor.d/dkms-autoinstaller b/apparmor.d/dkms-autoinstaller new file mode 100644 index 00000000..cca33ec1 --- /dev/null +++ b/apparmor.d/dkms-autoinstaller @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/dkms/dkms_autoinstaller +profile dkms-autoinstaller @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, + + /{usr/,}sbin/dkms rPx, + + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rPx -> child-systemctl, + + + profile run-parts { + #include + #include + + /{usr/,}bin/run-parts mr, + + } + + #include if exists +} diff --git a/apparmor.d/dlocate b/apparmor.d/dlocate new file mode 100644 index 00000000..355b397d --- /dev/null +++ b/apparmor.d/dlocate @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dlocate +profile dlocate @{exec_path} { + #include + #include + #include + + @{exec_path} rix, + /{usr/,}bin/bash rix, + + /{usr/,}bin/getopt rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/awk rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/grep-dctrl rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/du rix, + /{usr/,}bin/stat rix, + + /{usr/,}bin/md5sum rCx -> md5sum, + + /etc/default/dlocate r, + + /var/lib/dlocate/dlocatedb r, + /var/lib/dlocate/dpkg-list r, + + /var/lib/dpkg/status r, + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/*.conffiles r, + /var/lib/dpkg/info/*.md5sums r, + + owner /tmp/sh-thd.* rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fd/2 w, + + / r, + + + profile md5sum { + #include + + /{usr/,}bin/md5sum mr, + + # For the md5 check + /boot/** r, + /usr/** r, + + } + + #include if exists +} diff --git a/apparmor.d/dmcrypt-get-device b/apparmor.d/dmcrypt-get-device new file mode 100644 index 00000000..dca3663e --- /dev/null +++ b/apparmor.d/dmcrypt-get-device @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/eject/dmcrypt-get-device +profile dmcrypt-get-device @{exec_path} flags=(complain) { + #include + + capability sys_admin, + capability setgid, + capability setuid, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/devices r, + + /dev/mapper/control rw, + + #include if exists +} diff --git a/apparmor.d/dmesg b/apparmor.d/dmesg new file mode 100644 index 00000000..130ffb36 --- /dev/null +++ b/apparmor.d/dmesg @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dmesg +profile dmesg @{exec_path} { + #include + + capability syslog, + + @{exec_path} mr, + + /dev/kmsg r, + + #include if exists +} diff --git a/apparmor.d/dmidecode b/apparmor.d/dmidecode new file mode 100644 index 00000000..03a34fab --- /dev/null +++ b/apparmor.d/dmidecode @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/dmidecode +profile dmidecode @{exec_path} { + #include + + @{exec_path} mr, + + @{sys}/firmware/dmi/tables/smbios_entry_point r, + @{sys}/firmware/dmi/tables/DMI r, + + # The following are needed when the --no-sysfs flag is used + #capability sys_rawio, + #/dev/mem r, + #@{sys}/firmware/efi/systab r, + + # For dumping the output to a file + owner /tmp/dump.bin rw, + + #include if exists +} diff --git a/apparmor.d/dnscrypt-proxy b/apparmor.d/dnscrypt-proxy new file mode 100644 index 00000000..1b9d442a --- /dev/null +++ b/apparmor.d/dnscrypt-proxy @@ -0,0 +1,69 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/dnscrypt-proxy +profile dnscrypt-proxy @{exec_path} { + #include + #include + #include + + # To bind to the 53 tcp/udp port (when systemd's sockets aren't used). + capability net_bind_service, + + # Needed for privilege drop (to run as _dnscrypt-proxy:nogroup). + capability setgid, + capability setuid, + + @{exec_path} mrix, + + # dnscrypt-proxy config files + /etc/dnscrypt-proxy/ r, + /etc/dnscrypt-proxy/dnscrypt-proxy.toml r, + /etc/dnscrypt-proxy/whitelist.txt r, + /etc/dnscrypt-proxy/blacklist.txt r, + /etc/dnscrypt-proxy/cloaking-rules.txt r, + /etc/dnscrypt-proxy/forwarding-rules.txt r, + + # This is for the built-in DoH server / Firefox ESNI (Encrypted ClientHello) + # See: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH + owner /etc/dnscrypt-proxy/localhost.pem r, + + # For downloading the relays.md and public-resolvers.md files (for offline use, which can fix + # connectivity issues). + owner /etc/dnscrypt-proxy/sf-*.tmp rw, + owner /etc/dnscrypt-proxy/relays.md rw, + owner /etc/dnscrypt-proxy/relays.md.minisig rw, + owner /etc/dnscrypt-proxy/public-resolvers.md rw, + owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw, + + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/kernel/hostname r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Logs + /var/log/dnscrypt-proxy/ r, + /var/log/dnscrypt-proxy/*.log w, + /var/log/private/dnscrypt-proxy/ rw, + /var/log/private/dnscrypt-proxy/*.log w, + + /var/cache/private/dnscrypt-proxy/sf-*.tmp rw, + /var/cache/private/dnscrypt-proxy/public-resolvers.md{,.minisig} rw, + + # Needed? + deny /etc/ssl/certs/java/ r, + + #include if exists +} diff --git a/apparmor.d/dpkg b/apparmor.d/dpkg new file mode 100644 index 00000000..e0e2532d --- /dev/null +++ b/apparmor.d/dpkg @@ -0,0 +1,148 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dpkg +profile dpkg @{exec_path} { + #include + #include + + # To set proper ownership/permissions of installed files. + capability chown, + capability fowner, + capability fsetid, + + # These are needed because dpkg wants to read/write files from/to directories owned by different + # users than root, for instance files in the /usr/share/polkit-1/ dir , which is owned by the + # "polkitd" user with the "drwx------" permissions. + capability dac_read_search, + capability dac_override, + + # Needed? (##FIXME##) + capability setgid, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/rm rix, + + /{usr/,}bin/dpkg-query rPx, + # Do not strip env to avoid errors like the following: + # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open + # shared object file): ignored. + /{usr/,}bin/dpkg-deb rpx, + /{usr/,}bin/dpkg-split rPx, + + /usr/share/debian-security-support/check-support-status.hook rPx, + + /{usr/,}bin/pager rCx -> diff, + /{usr/,}bin/less rCx -> diff, + /{usr/,}bin/more rCx -> diff, + /{usr/,}bin/diff rCx -> diff, + + # Run the package maintainer's scripts + # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) + # Move it to a child profile once more transitions will be available + /var/lib/dpkg/ r, + /var/lib/dpkg/** rwkl -> /var/lib/dpkg/**, + /var/lib/dpkg/info/*.{config,templates} rPUx, + /var/lib/dpkg/info/*.{preinst,postinst} rPUx, + /var/lib/dpkg/info/*.{prerm,postrm} rPUx, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/{config,templates} rPUx, + /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, + /var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, + /var/lib/dpkg/tmp.ci/control r, + #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts, + #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, + #/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + owner @{PROC}/@{pid}/fd/ r, + + owner /tmp/apt-dpkg-install-*/ r, + + /var/log/dpkg.log w, + + # Basically, dpkg needs R/W permissions to the following files since it installs them. + # It also needs the L permission when a package is reinstalled. + /usr/ r, + /usr/** rwl -> /usr/**, + /lib/ r, + /lib/** rwl -> /lib/** , + /bin/ r, + /bin/* rwl -> /bin/*, + /sbin/ r, + /sbin/* rwl -> /sbin/*, + /etc/ r, + /etc/** rwl -> /etc/**, + /boot/ r, + /boot/** rwl -> /boot/**, + /opt/ r, + /opt/** rwl -> /opt/**, + # Without backups/, cache/, log/, mail/, opt/, tmp/ . + /var/lib/ r, + /var/lib/** rwl -> /var/lib/**, + /var/local/ r, + /var/local/** rwl -> /var/local/**, + /var/spool/ r, + /var/spool/** rwl -> /var/spool/**, + # To create log and cache dirs + /var/log/**/ rw, + /var/cache/**/ rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile diff { + #include + #include + + /{usr/,}bin/pager mr, + /{usr/,}bin/less mr, + /{usr/,}bin/more mr, + /{usr/,}bin/diff mr, + + owner @{HOME}/.lesshst r, + + # Diff changed config files + /etc/** r, + + } + + profile scripts { + #include + + /var/lib/dpkg/info/*.config r, + /var/lib/dpkg/info/*.{preinst,postinst} r, + /var/lib/dpkg/info/*.{prerm,postrm} r, + /var/lib/dpkg/tmp.ci/config r, + /var/lib/dpkg/tmp.ci/{preinst,postinst} r, + /var/lib/dpkg/tmp.ci/{prerm,postrm} r, + + /{usr/,}bin/ r, + /{usr/,}bin/* rPUx, + /{usr/,}sbin/ r, + /{usr/,}sbin/* rPUx, + + } + + #include if exists +} diff --git a/apparmor.d/dpkg-architecture b/apparmor.d/dpkg-architecture new file mode 100644 index 00000000..b72e69f2 --- /dev/null +++ b/apparmor.d/dpkg-architecture @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dpkg-architecture +profile dpkg-architecture @{exec_path} { + #include + #include + + @{exec_path} r, + /usr/bin/perl r, + + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + + /{usr/,}bin/ccache rCx -> ccache, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /usr/share/dpkg/** r, + + # file_inherit + owner /tmp/* rw, + + + profile ccache { + #include + + /{usr/,}bin/ccache mr, + + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + + /media/ccache/*/** rw, + + } + + #include if exists +} diff --git a/apparmor.d/dpkg-buildflags b/apparmor.d/dpkg-buildflags new file mode 100644 index 00000000..d6b657e6 --- /dev/null +++ b/apparmor.d/dpkg-buildflags @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dpkg-buildflags +profile dpkg-buildflags @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /etc/dpkg/origins/debian r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + owner @{HOME}/.config/dpkg/buildflags.conf r, + + #include if exists +} diff --git a/apparmor.d/dpkg-buildpackage b/apparmor.d/dpkg-buildpackage new file mode 100644 index 00000000..0b776896 --- /dev/null +++ b/apparmor.d/dpkg-buildpackage @@ -0,0 +1,111 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/dpkg-buildpackage +profile dpkg-buildpackage @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/getconf rix, + /{usr/,}bin/fakeroot-sysv rix, + /{usr/,}bin/faked-sysv rix, + + /{usr/,}bin/dh rPx, + /{usr/,}bin/dpkg-buildflags rPx, + /{usr/,}bin/dpkg-architecture rPx, + /{usr/,}bin/dpkg-genbuildinfo rPx, + /{usr/,}bin/dpkg-genchanges rPx, + /{usr/,}bin/dpkg-checkbuilddeps rPx, + + /{usr/,}bin/dpkg-source rcx -> dpkg-source, + + # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#) + owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules, + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + /etc/dpkg/origins/debian r, + + + profile dpkg-source flags=(complain) { + #include + #include + #include + + /{usr/,}bin/dpkg-source mr, + /{usr/,}bin/perl r, + + /{usr/,}bin/tar rix, + /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/patch rix, + /{usr/,}bin/diff rix, + + /etc/dpkg/origins/debian r, + + owner /tmp/*.diff.* rw, + owner /tmp/* rw, + + /usr/share/dpkg/tupletable r, + /usr/share/dpkg/cputable r, + + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + owner @{HOME}/** rwkl -> @{HOME}/**, + audit deny owner @{HOME}/.* mrwkl, + audit deny owner @{HOME}/.*/ rw, + audit deny owner @{HOME}/.*/** mrwkl, + + } + + profile debian-rules flags=(complain) { + #include + + owner @{BUILD_DIR}/**/debian/rules rix, + owner @{BUILD_DIR}/** rix, + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/*/**, + + /{usr/,}bin/dash rix, + /{usr/,}bin/make rix, + + # Don't strip env here + /{usr/,}bin/* rpux, + + /usr/share/dpkg/* r, + + / r, + /usr/include/{,**} r, + + # Key to sign the kernel and its modules + /etc/kernel_key/* r, + + owner /tmp/cpiolist.* rw, + + } + + #include if exists +} diff --git a/apparmor.d/dpkg-checkbuilddeps b/apparmor.d/dpkg-checkbuilddeps new file mode 100644 index 00000000..19458871 --- /dev/null +++ b/apparmor.d/dpkg-checkbuilddeps @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps +profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /etc/dpkg/origins/debian r, + + /var/lib/dpkg/status r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + # For package building + owner @{BUILD_DIR}/**/debian/control r, + + #include if exists +} diff --git a/apparmor.d/dpkg-deb b/apparmor.d/dpkg-deb new file mode 100644 index 00000000..01fed462 --- /dev/null +++ b/apparmor.d/dpkg-deb @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/dpkg-deb +profile dpkg-deb @{exec_path} { + #include + #include + #include + + #capability sys_tty_config, + + @{exec_path} mr, + + /{usr/,}bin/tar rix, + /{usr/,}bin/rm rix, + + owner /var/lib/dpkg/tmp.ci/ w, + owner /var/lib/dpkg/tmp.ci/* w, + + # For creating deb packages + owner /tmp/dpkg-deb.* rw, + + owner /tmp/dpkg-deb.*/ rw, + owner /tmp/dpkg-deb.*/* rw, + + # For extracting deb packages to /tmp/ + owner /tmp/** rw, + + /var/cache/apt/archives/*.deb r, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + #include if exists +} diff --git a/apparmor.d/dpkg-divert b/apparmor.d/dpkg-divert new file mode 100644 index 00000000..dc145e7f --- /dev/null +++ b/apparmor.d/dpkg-divert @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dpkg-divert +profile dpkg-divert @{exec_path} { + #include + #include + + @{exec_path} mr, + + /var/lib/dpkg/** r, + + /usr/share/*/**.dpkg-divert.tmp w, + + #include if exists +} diff --git a/apparmor.d/dpkg-genbuildinfo b/apparmor.d/dpkg-genbuildinfo new file mode 100644 index 00000000..9ebccdd2 --- /dev/null +++ b/apparmor.d/dpkg-genbuildinfo @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/dpkg-genbuildinfo +profile dpkg-genbuildinfo @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /etc/dpkg/origins/debian r, + + # For package building + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + /var/lib/dpkg/status r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + owner @{HOME}/.config/dpkg/buildflags.conf r, + + /usr/local/bin/ r, + /usr/local/sbin/ r, + /usr/local/lib/ r, + /usr/local/lib/**/ r, + /usr/local/include/ r, + /usr/local/etc/ r, + + #include if exists +} diff --git a/apparmor.d/dpkg-genchanges b/apparmor.d/dpkg-genchanges new file mode 100644 index 00000000..beb3e079 --- /dev/null +++ b/apparmor.d/dpkg-genchanges @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/dpkg-genchanges +profile dpkg-genchanges @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /etc/dpkg/origins/debian r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + # For package building + owner @{BUILD_DIR}/** r, + + #include if exists +} diff --git a/apparmor.d/dpkg-preconfigure b/apparmor.d/dpkg-preconfigure new file mode 100644 index 00000000..daaa316e --- /dev/null +++ b/apparmor.d/dpkg-preconfigure @@ -0,0 +1,60 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/dpkg-preconfigure +profile dpkg-preconfigure @{exec_path} { + #include + #include + #include + #include + + #capability sys_tty_config, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/stty rix, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/apt-extracttemplates rPx, + /{usr/,}bin/whiptail rPx, + + /etc/shadow r, + + /etc/inputrc r, + /etc/debconf.conf r, + + owner /tmp/*.template.* rw, + owner /tmp/*.config.* rwPUx, + + owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, + + # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. + #include + #include + #include + #include + capability dac_read_search, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/hostname rPx, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/dpkg-query b/apparmor.d/dpkg-query new file mode 100644 index 00000000..5627a2d5 --- /dev/null +++ b/apparmor.d/dpkg-query @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dpkg-query +profile dpkg-query @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + /var/lib/dpkg/** r, + + # file_inherit + /tmp/#[0-9]*[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/dpkg-split b/apparmor.d/dpkg-split new file mode 100644 index 00000000..39fad099 --- /dev/null +++ b/apparmor.d/dpkg-split @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/dpkg-split +profile dpkg-split @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dpkg-deb rPx, + + /var/lib/dpkg/parts/ r, + /var/lib/dpkg/parts/* r, + + /var/cache/apt/archives/*.deb r, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + #include if exists +} diff --git a/apparmor.d/dpkg-trigger b/apparmor.d/dpkg-trigger new file mode 100644 index 00000000..71fece4c --- /dev/null +++ b/apparmor.d/dpkg-trigger @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dpkg-trigger +profile dpkg-trigger @{exec_path} { + #include + #include + + @{exec_path} mr, + + /var/lib/dpkg/triggers/Lock rwk, + + /var/lib/dpkg/triggers/ r, + /var/lib/dpkg/triggers/Unincorp{,.new} rw, + + #include if exists +} diff --git a/apparmor.d/dpkg-vendor b/apparmor.d/dpkg-vendor new file mode 100644 index 00000000..439c9ee7 --- /dev/null +++ b/apparmor.d/dpkg-vendor @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dpkg-vendor +profile dpkg-vendor @{exec_path} { + #include + #include + + @{exec_path} r, + /usr/bin/perl r, + + /etc/dpkg/origins/* r, + + #include if exists +} diff --git a/apparmor.d/dropbox b/apparmor.d/dropbox new file mode 100644 index 00000000..13a4721f --- /dev/null +++ b/apparmor.d/dropbox @@ -0,0 +1,147 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{DROPBOX_DEMON_DIR}=@{HOME}/.dropbox-dist/ +@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/ +@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/ + +@{exec_path} = /{usr/,}bin/dropbox +profile dropbox @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + ptrace peer=@{profile_name}, + + @{exec_path} r, + + /{usr/,}bin/ r, + /{usr/,}bin/python3.[0-9]* r, + + # Dropbox home files + owner @{HOME}/ r, + owner @{DROPBOX_HOME_DIR}/ rw, + owner @{DROPBOX_HOME_DIR}/** rwk, + + # Shared files + owner @{DROPBOX_SHARE_DIR}/ rw, + owner @{DROPBOX_SHARE_DIR}/{,**} rw, + + # Dropbox proprietary demon files + owner @{DROPBOX_DEMON_DIR}/{,**} rw, + owner @{DROPBOX_DEMON_DIR}/dropboxd rwix, + owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox rwix, + owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropboxd rwix, + owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox_py3 rwix, + owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/wmctrl rwix, + owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw, + owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw, + + /{usr/,}bin/dash rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/uname rix, + /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}bin/{,@{multiarch}-}objdump rix, + + # Needed for updating Dropbox + owner /tmp/.dropbox-dist-new-*/{,**} rw, + owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix, + owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix, + owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix, + owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw, + owner @{HOME}/.dropbox-dist-old*/{,**} rw, + owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw, + + # For autostart + deny owner @{HOME}/.config/autostart/dropbox.desktop rw, + + # What's this for? + /{usr/,}bin/mount mrix, + @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, + @{sys}/devices/virtual/block/loop[0-9]/ r, + @{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r, + /{,var/}run/mount/utab r, + + deny @{PROC}/ r, + # Dropbox doesn't sync without the 'stat' file + owner @{PROC}/@{pid}/stat r, + # + deny owner @{PROC}/@{pid}/statm r, + deny owner @{PROC}/@{pid}/io r, + deny @{PROC}/@{pid}/net/tcp{,6} r, + deny @{PROC}/@{pid}/net/udp{,6} r, + # When "cmdline" is blocked, Dropbox has some issues while starting: + # The Dropbox daemon is not installed! Run "dropbox start -i" to install the daemon + @{PROC}/@{pid}/cmdline r, + # + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/* r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + deny @{PROC}/version r, + # To remove the following error: + # RuntimeWarning: 'sin' and 'sout' swap memory stats couldn't be determined and were set to 0 + # ([Errno 13] Permission denied: '/proc/vmstat') + @{PROC}/vmstat r, + + # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead + owner /tmp/dropbox-antifreeze-* rw, + owner /tmp/[a-zA-z0-9]* rw, + owner /tmp/#[0-9]*[0-9] rw, + owner /var/tmp/etilqs_* rw, + + /{,var/}run/systemd/users/[0-9]* r, + + deny @{sys}/module/apparmor/parameters/enabled r, + + # External apps + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/dumpcap b/apparmor.d/dumpcap new file mode 100644 index 00000000..2eddf5f0 --- /dev/null +++ b/apparmor.d/dumpcap @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dumpcap +profile dumpcap @{exec_path} { + #include + + # To capture packekts + capability net_raw, + capability net_admin, + + signal (receive) peer=wireshark, + + @{exec_path} mr, + + @{sys}/class/net/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/virtual/net/*/type r, + @{sys}/devices/pci[0-9]*/**/net/*/type r, + + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/psched r, + + /dev/ r, + + # Traffic log files + owner /tmp/wireshark_*_[0-9]*_*.pcapng rw, + owner /tmp/*.pcap rw, + + # file_inherit + owner @{HOME}/.xsession-errors w, + /usr/share/GeoIP/* r, + /dev/dri/card[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/dumpe2fs b/apparmor.d/dumpe2fs new file mode 100644 index 00000000..b663845a --- /dev/null +++ b/apparmor.d/dumpe2fs @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/{dumpe2fs,e2mmpstatus} +profile dumpe2fs @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner /{,var/}run/blkid/blkid.tab{,-*} rw, + owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + + # Image files + @{HOME}/** r, + /media/*/** r, + + #include if exists +} diff --git a/apparmor.d/e2fsck b/apparmor.d/e2fsck new file mode 100644 index 00000000..1ae7e81b --- /dev/null +++ b/apparmor.d/e2fsck @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/{e2fsck,fsck.ext2,fsck.ext3,fsck.ext4} +profile e2fsck @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + # To check for badblocks + /{usr/,}bin/dash rix, + /{usr/,}sbin/badblocks rPx, + + owner /{,var/}run/blkid/blkid.tab{,-*} rw, + owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, + + @{sys}/devices/**/power_supply/AC/online r, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/e2image b/apparmor.d/e2image new file mode 100644 index 00000000..ceaf29be --- /dev/null +++ b/apparmor.d/e2image @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/e2image +profile e2image @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, + + # A place for the metadata image file + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/edid-decode b/apparmor.d/edid-decode new file mode 100644 index 00000000..31074dad --- /dev/null +++ b/apparmor.d/edid-decode @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/edid-decode +profile edid-decode @{exec_path} { + #include + + @{exec_path} mr, + + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/*/edid r, + + #include if exists +} diff --git a/apparmor.d/eject b/apparmor.d/eject new file mode 100644 index 00000000..428ea0bb --- /dev/null +++ b/apparmor.d/eject @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/eject +profile eject @{exec_path} { + #include + #include + + capability sys_rawio, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}lib/eject/dmcrypt-get-device rPx, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + /etc/fstab r, + + #include if exists +} diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa new file mode 100644 index 00000000..bad412db --- /dev/null +++ b/apparmor.d/engrampa @@ -0,0 +1,109 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/engrampa +profile engrampa @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cp rix, + + # Archivers + /{usr/,}bin/7z rix, + /{usr/,}lib/p7zip/7z rix, + /{usr/,}bin/unrar-nonfree rix, + /{usr/,}bin/zip rix, + /{usr/,}bin/unzip rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/cpio rix, + /{usr/,}bin/gzip rix, + # For deb packages + /{usr/,}bin/dpkg-deb rix, + + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + /{usr/,}bin/xdg-open rCx -> open, + + owner @{HOME}/.config/engrampa/ rw, + + / r, + /home/ r, + #owner @{HOME}/ r, + #owner @{HOME}/** rw, + /media/ r, + /media/** rw, + /tmp/ r, + owner /tmp/** rw, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/.fr-*/{,**} rw, + + owner @{HOME}/.config/mimeapps.list{,.*} rw, + + /usr/share/engrampa/{,**} r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + # Allowed apps to open + /{usr/,}bin/engrampa rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/spacefm rPx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}bin/engrampa rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/spacefm rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/execute-dcut b/apparmor.d/execute-dcut new file mode 100644 index 00000000..28af931a --- /dev/null +++ b/apparmor.d/execute-dcut @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/dcut /usr/share/dput/execute-dcut +profile execute-dcut @{exec_path} flags=(complain) { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + #include if exists +} diff --git a/apparmor.d/execute-dput b/apparmor.d/execute-dput new file mode 100644 index 00000000..52ca2297 --- /dev/null +++ b/apparmor.d/execute-dput @@ -0,0 +1,63 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/dput /usr/share/dput/execute-dput +profile execute-dput @{exec_path} flags=(complain) { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + + /usr/share/dput/{,**} r, + + /etc/dput.cf r, + owner @{HOME}/.dput.cf r, + + owner @{PROC}/@{pid}/fd/ r, + + # sources dir + owner @{BUILD_DIR}/**.changes r, + owner @{BUILD_DIR}/**.dsc r, + owner @{BUILD_DIR}/**.buildinfo r, + owner @{BUILD_DIR}/**.tar.xz r, + + + profile gpg { + #include + + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgsm mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + } + + #include if exists +} diff --git a/apparmor.d/exim4 b/apparmor.d/exim4 new file mode 100644 index 00000000..52fdd845 --- /dev/null +++ b/apparmor.d/exim4 @@ -0,0 +1,64 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/exim4 +profile exim4 @{exec_path} { + #include + #include + #include + + @{exec_path} mrix, + + capability dac_read_search, + capability dac_override, + capability setgid, + capability setuid, + capability chown, + capability fowner, + capability net_bind_service, + # Sendmail + capability net_admin, + + /var/lib/exim4/config.autogenerated{,.tmp} r, + + /etc/email-addresses r, + /etc/aliases r, + + /var/log/exim4/mainlog w, + /var/log/exim4/paniclog w, + + owner /var/spool/exim4/ r, + /var/spool/exim4/input/ r, + /var/spool/exim4/input/*-*-*-* rwk, + owner /var/spool/exim4/input/hdr.*-*-* rw, + owner /var/spool/exim4/input/hdr.@{pid} rw, + /var/spool/exim4/db/retry.lockfile rwk, + /var/spool/exim4/msglog/*-*-* w, + + owner /var/mail/* rwk, + owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w, + owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*, + + owner /{,var/}run/exim4/exim.pid rw, + + owner /{,var/}run/dbus/system_bus_socket rw, + + # file_inherit + /tmp/#[0-9]*[0-9] rw, + /var/lib/dpkg/status r, + /var/log/cron-apt/lastfullmessage r, + + #include if exists +} diff --git a/apparmor.d/exo-helper b/apparmor.d/exo-helper new file mode 100644 index 00000000..b755212f --- /dev/null +++ b/apparmor.d/exo-helper @@ -0,0 +1,63 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/exo-[0-9]/exo-helper-[0-9] +profile exo-helper @{exec_path} { + #include + #include + #include + + # These are needed when there's no default application set in the ~/.config/xfce4/helpers.rc + #include + #include + #include + #include + + @{exec_path} mr, + + /usr/share/ r, + /usr/share/xfce4/ r, + /usr/share/xfce4/helpers/ r, + /usr/share/xfce4/helpers/*.desktop r, + /usr/local/share/ r, + owner @{HOME}/.local/share/ r, + owner @{HOME}/.local/share/xfce4/ r, + owner @{HOME}/.local/share/xfce4/helpers/ r, + + /etc/xdg/{,xdg-*/}xfce4/helpers.rc r, + + owner @{HOME}/.config/xfce4/helpers.rc rw, + owner @{HOME}/.config/xfce4/helpers.rc.@{pid}.tmp rw, + owner @{HOME}/.local/share/xfce4/helpers/*.desktop rw, + owner @{HOME}/.local/share/xfce4/helpers/*.desktop.@{pid}.tmp rw, + + owner @{HOME}/.config/mimeapps.list{,.*} rw, + + # Some missing icons + /usr/share/**.png r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/exo-open b/apparmor.d/exo-open new file mode 100644 index 00000000..78c1e063 --- /dev/null +++ b/apparmor.d/exo-open @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/exo-open +profile exo-open @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx, + + # It looks like gio-launch-desktop decides what app should be opened + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx, + + owner @{PROC}/@{pid}/fd/ r, + + /** r, + owner /** rw, + + #include if exists +} diff --git a/apparmor.d/f3brew b/apparmor.d/f3brew new file mode 100644 index 00000000..24953544 --- /dev/null +++ b/apparmor.d/f3brew @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/f3brew +profile f3brew @{exec_path} { + #include + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/f3fix b/apparmor.d/f3fix new file mode 100644 index 00000000..09293209 --- /dev/null +++ b/apparmor.d/f3fix @@ -0,0 +1,70 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/f3fix +profile f3fix @{exec_path} { + #include + #include + + # To remove the following errors: + # Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the + # kernel of the change, probably because it/they are in use. As a result, the old partition(s) + # will remain in use. You should reboot now before making further changes. + capability sys_admin, + + # Needed? (##FIXME##) + capability sys_rawio, + + # Needed? + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}sbin/dmidecode rPx, + + /{usr/,}bin/udevadm rCx -> udevadm, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + + profile udevadm { + #include + + ptrace (read), + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + # file_inherit + /dev/sd[a-z] rw, + + } + + #include if exists +} + diff --git a/apparmor.d/f3probe b/apparmor.d/f3probe new file mode 100644 index 00000000..06969769 --- /dev/null +++ b/apparmor.d/f3probe @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/f3probe +profile f3probe @{exec_path} { + #include + #include + + @{exec_path} mr, + + #include if exists +} + diff --git a/apparmor.d/f3read b/apparmor.d/f3read new file mode 100644 index 00000000..6d065cec --- /dev/null +++ b/apparmor.d/f3read @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/f3read +profile f3read @{exec_path} { + #include + + @{exec_path} mr, + + # USB drive mount locations + /media/*/ r, + /media/*/*/ r, + + # To be able to read h2w files + /media/*/[0-9]*.h2w r, + /media/*/*/[0-9]*.h2w r, + + #include if exists +} + diff --git a/apparmor.d/f3write b/apparmor.d/f3write new file mode 100644 index 00000000..276adb7e --- /dev/null +++ b/apparmor.d/f3write @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/f3write +profile f3write @{exec_path} { + #include + + # The f3write doesn't have to be started as root, but when it's started as root, the following + # CAP is needed in order to write to the user owned USB drives (e.g. mounted via udisks). + #capability dac_override, + + @{exec_path} mr, + + # USB drive mount locations + /media/*/ r, + /media/*/*/ r, + + # To be able to write h2w files + owner /media/*/[0-9]*.h2w w, + owner /media/*/*/[0-9]*.h2w w, + + #include if exists +} + diff --git a/apparmor.d/fatlabel b/apparmor.d/fatlabel new file mode 100644 index 00000000..65d4108b --- /dev/null +++ b/apparmor.d/fatlabel @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/fatlabel +profile fatlabel @{exec_path} { + #include + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/fatresize b/apparmor.d/fatresize new file mode 100644 index 00000000..d87fdcb1 --- /dev/null +++ b/apparmor.d/fatresize @@ -0,0 +1,68 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/fatresize +profile fatresize @{exec_path} { + #include + #include + + # Needed to inform the system of newly created/removed partitions + # ioctl(3, BLKFLSBUF) = -1 EACCES (Permission denied) + capability sys_admin, + + # Needed? (##FIXME##) + capability sys_rawio, + + # Needed? + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}sbin/dmidecode rPx, + + /{usr/,}bin/udevadm rCx -> udevadm, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + + + profile udevadm { + #include + + ptrace (read), + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + # file_inherit + /dev/sd[a-z] rw, + + } + + #include if exists +} diff --git a/apparmor.d/fc-list b/apparmor.d/fc-list new file mode 100644 index 00000000..59831ccf --- /dev/null +++ b/apparmor.d/fc-list @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/fc-list +profile fc-list @{exec_path} { + #include + #include + #include + + /{usr/,}bin/fc-list mr, + + #include if exists +} diff --git a/apparmor.d/fdisk b/apparmor.d/fdisk new file mode 100644 index 00000000..b21b465c --- /dev/null +++ b/apparmor.d/fdisk @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/fdisk +profile fdisk @{exec_path} { + #include + #include + + # Needed to inform the system of newly created/removed partitions + # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) + capability sys_admin, + + # To remove the following errors: + # kernel: device-mapper: core: fdisk: sending ioctl 5331 to DM device without required privilege. + capability sys_rawio, + + @{exec_path} mr, + + @{PROC}/partitions r, + + /etc/terminal-colors.d/fdisk.disable r, + + # For disk images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + # For backups + owner @{HOME}/**.{bak,back} rwk, + owner /media/*/**.{bak,back} rwk, + + #include if exists +} diff --git a/apparmor.d/ffmpeg b/apparmor.d/ffmpeg new file mode 100644 index 00000000..6a74fc06 --- /dev/null +++ b/apparmor.d/ffmpeg @@ -0,0 +1,89 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{ffmpeg_ext} = [aA]{52,[aA][cC],[cC]3} +@{ffmpeg_ext} += [mM][kK][aA] +@{ffmpeg_ext} += [fF][lL][aA][cC] +@{ffmpeg_ext} += [mM][pP][123cC] +@{ffmpeg_ext} += [oO][gGmM][aA] +@{ffmpeg_ext} += [wW]{,[aA]}[vV] +@{ffmpeg_ext} += [wW][mM]{,[aA]} +@{ffmpeg_ext} += 3[gG]{[2pP],[pP][2pP]} +@{ffmpeg_ext} += [aA][sS][fF] +@{ffmpeg_ext} += [aA][vV][iI] +@{ffmpeg_ext} += [dD][iI][vV][xX] +@{ffmpeg_ext} += [mM][124][vV] +@{ffmpeg_ext} += [mM][kKoO][vV] +@{ffmpeg_ext} += [mM][pP][4aAeEgG] +@{ffmpeg_ext} += [mM][pP][eE][gG]{,[124]} +@{ffmpeg_ext} += [oO][gG][gGmMxXvV] +@{ffmpeg_ext} += [rR][mM]{,[vV][bB]} +@{ffmpeg_ext} += [wW][eE][bB][mM] +@{ffmpeg_ext} += [wW][mMtT][vV] +@{ffmpeg_ext} += [mM][pP]2[tT] + +# Subtitle extensions: +# srt, txt, sub +@{ffmpeg_ext} += [sS][rR][tT] +@{ffmpeg_ext} += [tT][xX][tT] +@{ffmpeg_ext} += [sS][uU][bB] + +# FFmpeg specific extensions: +# ts, part +@{ffmpeg_ext} += [tT][sS] +@{ffmpeg_ext} += [pP][aA][rR][tT] + +@{exec_path} = /{usr/,}bin/ffmpeg +profile ffmpeg @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Which files ffmpeg should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{ffmpeg_ext}{,.[0-9]*} rw, + owner /media/Grafi/* rw, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]/meminfo r, + + owner @{HOME}/.Xauthority r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # To generate thumbnails in some apps + owner /tmp/*.{png,jpg} rw, + + # TMP files for apps using ffmpeg + owner /tmp/vidcutter/** rw, + + #include if exists +} diff --git a/apparmor.d/ffplay b/apparmor.d/ffplay new file mode 100644 index 00000000..9857e994 --- /dev/null +++ b/apparmor.d/ffplay @@ -0,0 +1,73 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{ffplay_ext} = [aA]{52,[aA][cC],[cC]3} +@{ffplay_ext} += [mM][kK][aA] +@{ffplay_ext} += [fF][lL][aA][cC] +@{ffplay_ext} += [mM][pP][123cC] +@{ffplay_ext} += [oO][gGmM][aA] +@{ffplay_ext} += [wW]{,[aA]}[vV] +@{ffplay_ext} += [wW][mM]{,[aA]} +@{ffplay_ext} += 3[gG]{[2pP],[pP][2pP]} +@{ffplay_ext} += [aA][sS][fF] +@{ffplay_ext} += [aA][vV][iI] +@{ffplay_ext} += [dD][iI][vV][xX] +@{ffplay_ext} += [mM][124][vV] +@{ffplay_ext} += [mM][kKoO][vV] +@{ffplay_ext} += [mM][pP][4aAeEgG] +@{ffplay_ext} += [mM][pP][eE][gG]{,[124]} +@{ffplay_ext} += [oO][gG][gGmMxXvV] +@{ffplay_ext} += [rR][mM]{,[vV][bB]} +@{ffplay_ext} += [wW][eE][bB][mM] +@{ffplay_ext} += [wW][mMtT][vV] +@{ffplay_ext} += [mM][pP]2[tT] + +# Subtitle extensions: +# srt, txt, sub +@{ffplay_ext} += [sS][rR][tT] +@{ffplay_ext} += [tT][xX][tT] +@{ffplay_ext} += [sS][uU][bB] + +@{exec_path} = /{usr/,}bin/ffplay +profile ffplay @{exec_path} { + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Which media files ffplay should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{ffplay_ext} rw, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]/meminfo r, + + #include if exists +} diff --git a/apparmor.d/ffprobe b/apparmor.d/ffprobe new file mode 100644 index 00000000..fb3cbbaa --- /dev/null +++ b/apparmor.d/ffprobe @@ -0,0 +1,68 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{ffprobe_ext} = [aA]{52,[aA][cC],[cC]3} +@{ffprobe_ext} += [mM][kK][aA] +@{ffprobe_ext} += [fF][lL][aA][cC] +@{ffprobe_ext} += [mM][pP][123cC] +@{ffprobe_ext} += [oO][gGmM][aA] +@{ffprobe_ext} += [wW]{,[aA]}[vV] +@{ffprobe_ext} += [wW][mM]{,[aA]} +@{ffprobe_ext} += 3[gG]{[2pP],[pP][2pP]} +@{ffprobe_ext} += [aA][sS][fF] +@{ffprobe_ext} += [aA][vV][iI] +@{ffprobe_ext} += [dD][iI][vV][xX] +@{ffprobe_ext} += [mM][124][vV] +@{ffprobe_ext} += [mM][kKoO][vV] +@{ffprobe_ext} += [mM][pP][4aAeEgG] +@{ffprobe_ext} += [mM][pP][eE][gG]{,[124]} +@{ffprobe_ext} += [oO][gG][gGmMxXvV] +@{ffprobe_ext} += [rR][mM]{,[vV][bB]} +@{ffprobe_ext} += [wW][eE][bB][mM] +@{ffprobe_ext} += [wW][mMtT][vV] +@{ffprobe_ext} += [mM][pP]2[tT] + +# Subtitle extensions: +# srt, txt, sub +@{ffprobe_ext} += [sS][rR][tT] +@{ffprobe_ext} += [tT][xX][tT] +@{ffprobe_ext} += [sS][uU][bB] + +@{exec_path} = /{usr/,}bin/ffprobe +profile ffprobe @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + # Which media files ffprobe should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{ffprobe_ext} rw, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]/meminfo r, + + #include if exists +} diff --git a/apparmor.d/filecap b/apparmor.d/filecap new file mode 100644 index 00000000..f36c4f5c --- /dev/null +++ b/apparmor.d/filecap @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/filecap +profile filecap @{exec_path} { + #include + #include + + @{exec_path} mr, + + # The default behavior is to check only the directories in the PATH environmental variable. + /{usr/,}sbin/ r, + /{usr/,}sbin/* r, + /{usr/,}bin/ r, + /{usr/,}bin/* r, + /usr/local/sbin/ r, + /usr/local/sbin/* r, + /usr/local/bin/ r, + /usr/local/bin/* r, + + # It's also possible to check any dir/file in the system by using the "-a" flag. + #capability dac_read_search, + #/ r, + #/** r, + + #include if exists +} diff --git a/apparmor.d/filezilla b/apparmor.d/filezilla new file mode 100644 index 00000000..6ac9ff95 --- /dev/null +++ b/apparmor.d/filezilla @@ -0,0 +1,79 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/filezilla +profile filezilla @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=fzsftp, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/uname rix, + + # When using SFTP protocol + /{usr/,}bin/fzsftp rPx, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + + owner @{HOME}/ r, + owner @{HOME}/.config/filezilla/ rw, + owner @{HOME}/.config/filezilla/* rwk, + + owner @{HOME}/.cache/filezilla/ rw, + owner @{HOME}/.cache/filezilla/default_*.png rw, + + /usr/share/filezilla/{,**} r, + + owner @{PROC}/@{pid}/fd/ r, + # To remove the following error: + # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied + # (g-file-error-quark, 2) + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + # Creating new files on FTP + /tmp/ r, + owner /tmp/fz[0-9]temp-[0-9]*/ rw, + owner /tmp/fz[0-9]temp-[0-9]*/fz*-lockfile rwk, + owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw, + + # External apps + /{usr/,}lib/firefox/firefox rPUx, + + # FTP share folder + owner /media/*/ftp/ r, + owner /media/*/ftp/** rw, + + # Silencer + / r, + /*/ r, + /*/*/ r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/firefox b/apparmor.d/firefox new file mode 100644 index 00000000..54d45a7a --- /dev/null +++ b/apparmor.d/firefox @@ -0,0 +1,214 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} +@{MOZ_HOMEDIR} = @{HOME}/.mozilla +@{MOZ_CACHEDIR} = @{HOME}/.cache/mozilla + +@{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr} +profile firefox @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + ##include + + + ptrace peer=@{profile_name}, + + signal (send) set=(term, kill) peer=keepassxc-proxy, + signal (send) set=(term, kill) peer=firefox-*, + + @{exec_path} mrix, + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + /{usr/,}bin/dash rix, + + # Firefox files + @{MOZ_LIBDIR}/{,**} r, + @{MOZ_LIBDIR}/*.so mr, + @{MOZ_LIBDIR}/crashreporter rPx, + @{MOZ_LIBDIR}/minidump-analyzer rPx, + @{MOZ_LIBDIR}/pingsender rPx, + @{MOZ_LIBDIR}/plugin-container rPx, + /usr/share/firefox/{,**} r, + /etc/firefox/{,**} r, + + # Firefox plugins & extensions + /{usr/,}lib/mozilla/plugins/ r, + /{usr/,}lib/mozilla/plugins/libvlcplugin.so mr, + /usr/share/mozilla/extensions/{,**} r, + /usr/share/webext/{,**} r, + + # To be able to read docs + /usr/share/doc/{,**} r, + + # Firefox home files + owner @{MOZ_HOMEDIR}/ rw, + owner @{MOZ_HOMEDIR}/{extensions,systemextensionsdev}/ rw, + owner @{MOZ_HOMEDIR}/firefox/ rw, + owner @{MOZ_HOMEDIR}/firefox/installs.ini rw, + owner @{MOZ_HOMEDIR}/firefox/profiles.ini rw, + owner @{MOZ_HOMEDIR}/firefox/*/ rw, + owner @{MOZ_HOMEDIR}/firefox/*/** rwk, + # For keepassxc integration + owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, + + # Cache + owner @{HOME}/.cache/ rw, + owner @{MOZ_CACHEDIR}/ rw, + owner @{MOZ_CACHEDIR}/** rwk, + + owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + + deny @{sys}/devices/system/cpu/present r, + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/cgroup r, + deny owner @{PROC}/@{pid}/stat r, + deny owner @{PROC}/@{pids}/cmdline r, + deny owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pid}/task/ r, + deny owner @{PROC}/@{pid}/task/@{tid}/stat r, + # To remove the following error: + # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied + # (g-file-error-quark, 2) + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + # About:memory + deny owner @{PROC}/@{pid}/statm r, + deny owner @{PROC}/@{pid}/smaps r, + # Link Monitor (since 49.0.1) + deny @{PROC}/@{pid}/net/arp r, + deny @{PROC}/@{pid}/net/route r, + # + deny @{PROC}/@{pid}/net/if_inet6 r, + + /etc/mime.types r, + /etc/mailcap r, + + # Set default browser + /{usr/,}bin/update-mime-database rPUx, + owner @{HOME}/.config/mimeapps.list{,.*} rw, + owner @{HOME}/.local/share/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, + owner @{HOME}/.local/share/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, + + # KDE system keyring + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + /usr/share/xul-ext/kwallet5/* r, + /etc/xul-ext/kwallet5.js r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/* rw, + owner /tmp/firefox_*/ rw, + owner /tmp/firefox_*/* rwk, + owner /tmp/firefox/ rw, + owner /tmp/firefox/* rwk, + owner /tmp/mozilla_*/ rw, + owner /tmp/mozilla_*/* rw, + owner /tmp/Temp-*/ rw, + + deny /dev/ r, + deny /dev/shm/ r, + owner /dev/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw, + + /etc/fstab r, + + # Silencer + deny /{usr/,}lib/firefox/** w, + + /{usr/,}bin/gpa rPUx, + /{usr/,}bin/keepassxc-proxy rPUx, # For storing passwords externally + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/exo-open rCx -> open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + # Allowed apps to open + /{usr/,}bin/vlc rPx, + /{usr/,}bin/qbittorrent rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/okular rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/xarchiver rPx, + /{usr/,}bin/engrampa rPx, + /{usr/,}bin/thunderbird rPx, + /{usr/,}bin/telegram-desktop rPx, + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/qpdfview rPx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + /{usr/,}bin/exo-open mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + # Allowed apps to open + /{usr/,}bin/vlc rPx, + /{usr/,}bin/qbittorrent rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/okular rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/xarchiver rPx, + /{usr/,}bin/engrampa rPx, + /{usr/,}bin/thunderbird rPx, + /{usr/,}bin/telegram-desktop rPx, + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/qpdfview rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/firefox-crashreporter b/apparmor.d/firefox-crashreporter new file mode 100644 index 00000000..8ab31288 --- /dev/null +++ b/apparmor.d/firefox-crashreporter @@ -0,0 +1,64 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{MOZ_LIBDIR} = /{usr/,}lib/firefox +@{MOZ_HOMEDIR} = @{HOME}/.mozilla +@{MOZ_CACHEDIR} = @{HOME}/.cache/mozilla + +@{exec_path} = @{MOZ_LIBDIR}/crashreporter +profile firefox-crashreporter @{exec_path} { + #include + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=firefox, + + @{exec_path} mr, + + @{MOZ_LIBDIR}/minidump-analyzer rPx, + + /{usr/,}bin/mv rix, + + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/[0-9a-f]*" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, + + owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/{,**} rw, + owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.{dmp,extra} rw, + + owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw, + owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/events/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + /tmp/ r, + owner /tmp/[0-9a-f]*.{dmp,extra} rw, + owner /tmp/firefox/.parentlock w, + /var/tmp/ r, + + /etc/passwd r, + + owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, + + # file_inherit + owner @{MOZ_CACHEDIR}/firefox/*.*/** r, + owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/firefox-minidump-analyzer b/apparmor.d/firefox-minidump-analyzer new file mode 100644 index 00000000..51adaa16 --- /dev/null +++ b/apparmor.d/firefox-minidump-analyzer @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{MOZ_LIBDIR} = /{usr/,}lib/firefox +@{MOZ_HOMEDIR} = @{HOME}/.mozilla +@{MOZ_CACHEDIR} = @{HOME}/.cache/mozilla + +@{exec_path} = /{usr/,}lib/firefox/minidump-analyzer +profile firefox-minidump-analyzer @{exec_path} { + #include + #include + + signal (receive) set=(term, kill) peer=firefox, + + @{exec_path} mr, + + owner /tmp/[0-9a-f]*.{dmp,extra} rw, + owner /tmp/firefox/.parentlock w, + + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, + + owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw, + owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.{dmp,extra} rw, + + owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, + + # file_inherit + owner @{MOZ_CACHEDIR}/firefox/*.*/startupCache/*Cache* r, + owner @{HOME}/.xsession-errors w, + owner @{HOME}/.mozilla/firefox/m-oyw579q8.default/extensions/*.xpi r, + + #include if exists +} diff --git a/apparmor.d/firefox-pingsender b/apparmor.d/firefox-pingsender new file mode 100644 index 00000000..3250d4a0 --- /dev/null +++ b/apparmor.d/firefox-pingsender @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{MOZ_LIBDIR} = /{usr/,}lib/firefox +@{MOZ_HOMEDIR} = @{HOME}/.mozilla +@{MOZ_CACHEDIR} = @{HOME}/.cache/mozilla + +@{exec_path} = @{MOZ_LIBDIR}/pingsender +profile firefox-pingsender @{exec_path} { + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=firefox, + + @{exec_path} mr, + + owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/firefox-plugin-container b/apparmor.d/firefox-plugin-container new file mode 100644 index 00000000..f4d375ce --- /dev/null +++ b/apparmor.d/firefox-plugin-container @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} +@{MOZ_HOMEDIR} = @{HOME}/.mozilla +@{MOZ_CACHEDIR} = @{HOME}/.cache/mozilla + +@{exec_path} = @{MOZ_LIBDIR}/plugin-container +profile firefox-plugin-container @{exec_path} { + #include + + signal (receive) set=(term, kill) peer=firefox, + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/firejail-default b/apparmor.d/firejail-default new file mode 100644 index 00000000..e7ded1ed --- /dev/null +++ b/apparmor.d/firejail-default @@ -0,0 +1,156 @@ +######################################### +# Generic Firejail AppArmor profile +######################################### + +########## +# A simple PID declaration based on Ubuntu's @{pid} +# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. +# We don't know if this definition is available outside Debian and Ubuntu, so +# we declare our own here. +########## +@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} + +profile firejail-default flags=(attach_disconnected,mediate_deleted) { + +########## +# Allow D-Bus access. It may negatively affect security. Comment those lines or +# use 'nodbus' option in profile if you don't need D-Bus functionality. +########## +#include +#include +dbus, + +########## +# With ptrace it is possible to inspect and hijack running programs. +########## +# Uncomment this line to allow all ptrace access +#ptrace, +# Allow obtaining some process information, but not ptrace(2) +ptrace (read,readby) peer=@{profile_name}, + +########## +# Allow read access to whole filesystem and control it from firejail. +########## +/{,**} rklm, + +########## +# Allow write access to paths writable in firejail which aren't used for +# executing programs. /run, /proc and /sys are handled separately. +# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes. +########## +/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w, + +########## +# Whitelist writable paths under /run, /proc and /sys. +########## +owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, +owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, +owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, + +# Allow writing to removable media +owner /{,var/}run/media/** w, + +# Allow logging Firejail blacklist violations to journal +/{,var/}run/systemd/journal/socket w, +/{,var/}run/systemd/journal/dev-log w, + +# Allow access to cups printing socket. +/{,var/}run/cups/cups.sock w, + +# Allow access to pcscd socket (smartcards) +/{,var/}run/pcscd/pcscd.comm w, + +# Needed for firefox sandbox +/proc/@{PID}/{uid_map,gid_map,setgroups} w, + +# Needed for electron apps +/proc/@{PID}/comm w, + +# Silence noise +deny /proc/@{PID}/oom_adj w, +deny /proc/@{PID}/oom_score_adj w, + +# Uncomment to silence all denied write warnings +#deny /sys/** w, + +########## +# Allow running programs only from well-known system directories. If you need +# to run programs from your home directory, uncomment /home line. +########## +/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, +/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, +/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, +/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix, +/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, +#/{,run/firejail/mnt/oroot/}home/** ix, + +# Appimage support +/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix, + +########## +# Blacklist specific sensitive paths. +########## +deny /**/.fscrypt/ rw, +deny /**/.fscrypt/** rwklmx, +deny /**/.snapshots/ rw, +deny /**/.snapshots/** rwklmx, + +########## +# Allow all networking functionality, and control it from Firejail. +########## +network inet, +network inet6, +network unix, +network netlink, +network raw, +# needed for wireshark +network packet, + +########## +# There is no equivalent in Firejail for filtering signals. +########## +signal (send) peer=@{profile_name}, +signal (receive), + +########## +# We let Firejail deal with capabilities, but ensure that +# some AppArmor related capabilities will not be available. +########## +capability chown, +capability dac_override, +capability dac_read_search, +capability fowner, +capability fsetid, +capability kill, +capability setgid, +capability setuid, +capability setpcap, +capability linux_immutable, +capability net_bind_service, +capability net_broadcast, +capability net_admin, +capability net_raw, +capability ipc_lock, +capability ipc_owner, +capability sys_module, +capability sys_rawio, +capability sys_chroot, +capability sys_ptrace, +capability sys_pacct, +capability sys_admin, +capability sys_boot, +capability sys_nice, +capability sys_resource, +capability sys_time, +capability sys_tty_config, +capability mknod, +capability lease, +#capability audit_write, +#capability audit_control, +capability setfcap, +#capability mac_override, +#capability mac_admin, + +# Site-specific additions and overrides. See local/README for details. +#include +} diff --git a/apparmor.d/flameshot b/apparmor.d/flameshot new file mode 100644 index 00000000..7f918972 --- /dev/null +++ b/apparmor.d/flameshot @@ -0,0 +1,89 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/flameshot +profile flameshot @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/whoami rix, + + /{usr/,}bin/xdg-open rCx -> open, + + # Flameshot home files + owner @{HOME}/.config/flameshot/ rw, + owner @{HOME}/.config/flameshot/flameshot.ini rw, + owner @{HOME}/.config/flameshot/#[0-9]*[0-9] rw, + owner @{HOME}/.config/flameshot/flameshot.ini* rwl -> @{HOME}/.config/flameshot/#[0-9]*[0-9], + owner @{HOME}/.config/flameshot/flameshot.ini.lock rwk, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + owner /tmp/.*/{,s} rw, + owner /tmp/*= rw, + owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw, + + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /dev/shm/#[0-9]*[0-9] rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/fping b/apparmor.d/fping new file mode 100644 index 00000000..9d6bdffd --- /dev/null +++ b/apparmor.d/fping @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/fping{,6} +profile fping @{exec_path} { + #include + #include + + # This CAP can be blocked when the net.ipv4.ping_group_range sysctl parametr is set. Otherwise it + # will return the following error: + # fping: can't create socket (must run as root?) + deny capability net_raw, + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/freetube b/apparmor.d/freetube new file mode 100644 index 00000000..b702127b --- /dev/null +++ b/apparmor.d/freetube @@ -0,0 +1,133 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{FT_LIBDIR} = /{usr/,}lib/freetube /opt/FreeTube + +@{exec_path} = @{FT_LIBDIR}/freetube +profile freetube @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + # Needed? + #deny capability sys_ptrace, + #ptrace (read) peer=xdg-open, + + @{exec_path} mrix, + + @{FT_LIBDIR}/ r, + @{FT_LIBDIR}/** r, + @{FT_LIBDIR}/libffmpeg.so mr, + @{FT_LIBDIR}/swiftshader/libGLESv2.so mr, + @{FT_LIBDIR}/swiftshader/libEGL.so mr, + @{FT_LIBDIR}/chrome-sandbox rPx, + + owner @{HOME}/ r, + owner @{HOME}/.config/FreeTube/ rw, + owner @{HOME}/.config/FreeTube/** rwk, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/.org.chromium.Chromium.*/ rw, + owner /tmp/.org.chromium.Chromium.*/SingletonCookie w, + owner /tmp/.org.chromium.Chromium.*/SS w, + owner /tmp/net-export/ rw, + + /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.* rw, + + # The /proc/ dir is needed to avoid the following error: + # traps: freetube[] trap int3 ip:56499eca9d26 sp:7ffcab073060 error:0 in + # freetube[56499b8a8000+531e000] + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/task/ r, + deny owner @{PROC}/@{pids}/task/@{tid}/status r, + deny @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + deny @{PROC}/vmstat r, + @{PROC}/sys/fs/inotify/max_user_watches r, + + # The following are needed for View -> Developer Tools + @{PROC}/@{pid}/fd/ r, + deny @{PROC}/@{pids}/task/@{tid}/status r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + deny @{sys}/devices/virtual/tty/tty0/active r, + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + # The irq file is needed to render pages. + deny @{sys}/devices/pci[0-9]*/**/irq r, + + # Needed? + deny owner @{HOME}/.pki/ rw, + deny owner @{HOME}/.pki/** rwk, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # no new privs + /{usr/,}bin/xdg-settings rPUx, + + /{usr/,}bin/xdg-open rCx -> open, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/freetube-chrome-sandbox b/apparmor.d/freetube-chrome-sandbox new file mode 100644 index 00000000..288e7830 --- /dev/null +++ b/apparmor.d/freetube-chrome-sandbox @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{FT_LIBDIR} = /{usr/,}lib/freetube /opt/FreeTube + +@{exec_path} = @{FT_LIBDIR}/chrome-sandbox +profile freetube-chrome-sandbox @{exec_path} { + #include + #include + #include + + capability sys_admin, + capability setgid, + capability setuid, + capability sys_chroot, + + @{exec_path} mr, + + # Has to be lower "P" + @{FT_LIBDIR}/freetube rpx, + + # The following is needed for View -> Developer Tools + @{PROC}/@{pids}/ r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + #include if exists +} diff --git a/apparmor.d/frontend b/apparmor.d/frontend new file mode 100644 index 00000000..8ad975b3 --- /dev/null +++ b/apparmor.d/frontend @@ -0,0 +1,123 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/share/debconf/frontend +profile frontend @{exec_path} flags=(complain) { + #include + #include + #include + #include + + #capability sys_tty_config, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, + + # debconf apps + /{usr/,}bin/adequate rPx, + /{usr/,}bin/debconf-apt-progress rPx, + /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, + /{usr/,}bin/linux-check-removal rPx, + /{usr/,}bin/ucf rPx, + /{usr/,}sbin/pam-auth-update rPx, + /usr/share/debian-security-support/check-support-status.hook rPx, + + # Run the package maintainer's scripts + # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) + #/var/lib/dpkg/info/*.{config,templates} rPUx, + #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, + #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, + /var/lib/dpkg/info/*.control r, + #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, + #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, + #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, + /var/lib/dpkg/tmp.ci/control r, + /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, + /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, + /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, + + # DKMS scipts + # What to do with it? (#FIXME#) + /{usr/,}lib/dkms/common.postinst rPUx, + /{usr/,}lib/dkms/dkms-* rPUx, + /{usr/,}lib/dkms/dkms_* rPUx, + + /etc/debconf.conf r, + /usr/share/debconf/{,**} r, + owner /var/cache/debconf/* rwk, + + /etc/inputrc r, + + /etc/shadow r, + + # The following is needed when debconf uses GUI frontends. + #include + #include + #include + #include + capability dac_read_search, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/hostname rPx, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + # The following is needed when debconf uses dialog/whiptail frontend. + /{usr/,}bin/whiptail rPx, + owner /tmp/file* w, + + + profile scripts flags=(complain) { + #include + #include + + # What's this for? (#FIXME#) + capability dac_read_search, + + /var/lib/dpkg/info/*.config r, + /var/lib/dpkg/info/*.{preinst,postinst} r, + /var/lib/dpkg/info/*.{prerm,postrm} r, + /var/lib/dpkg/tmp.ci/config r, + /var/lib/dpkg/tmp.ci/{preinst,postinst} r, + /var/lib/dpkg/tmp.ci/{prerm,postrm} r, + + / r, + + /{usr/,}bin/ r, + /{usr/,}bin/* rPUx, + + /{usr/,}sbin/ r, + /{usr/,}sbin/* rPUx, + + /{usr/,}lib/ r, + /{usr/,}lib/** rPUx, + + /usr/share/** r, + /usr/share/** rPUx, + + /etc/** rw, + /var/cache/** rw, + owner /tmp/** rw, + + } + + #include if exists +} diff --git a/apparmor.d/fsck b/apparmor.d/fsck new file mode 100644 index 00000000..b5673596 --- /dev/null +++ b/apparmor.d/fsck @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/fsck +profile fsck @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}sbin/e2fsck rPx, + /{usr/,}sbin/fsck.* rPx, + + /etc/fstab r, + + @{PROC}/partitions r, + owner @{PROC}/@{pid}/mountinfo r, + + owner /{,var/}run/fsck/ rw, + owner /{,var/}run/fsck/*.lock rwk, + + # When a mount dir is passed to fsck as an argument. + /media/*/ r, + /boot/ r, + /home/ r, + + owner /{,var/}run/blkid/blkid.tab{,-*} rw, + owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + + #include if exists +} diff --git a/apparmor.d/fsck-btrfs b/apparmor.d/fsck-btrfs new file mode 100644 index 00000000..2acebfdd --- /dev/null +++ b/apparmor.d/fsck-btrfs @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/fsck.btrfs +profile fsck-btrfs @{exec_path} { + #include + + @{exec_path} r, + + /{usr/,}bin/dash rix, + + /etc/fstab r, + + #include if exists +} diff --git a/apparmor.d/fsck-fat b/apparmor.d/fsck-fat new file mode 100644 index 00000000..a3b23d99 --- /dev/null +++ b/apparmor.d/fsck-fat @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/{fsck.fat,fsck.msdos,fsck.vfat,dosfsck} +profile fsck-fat @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/fuseiso b/apparmor.d/fuseiso new file mode 100644 index 00000000..974525c1 --- /dev/null +++ b/apparmor.d/fuseiso @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/fuseiso +profile fuseiso @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/fusermount{,3} rPx, + + # Where to mount ISO files + owner @{HOME}/*/ rw, + owner @{HOME}/*/*/ rw, + + # Be able to mount ISO images + mount fstype=fuse.fuseiso -> /home/*/*/, + mount fstype=fuse.fuseiso -> /home/*/*/*/, + + # Image files to be mounted + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + owner @{HOME}/.mtab.fuseiso rwk, + owner @{HOME}/.mtab.fuseiso.new rw, + + /dev/fuse rw, + + #include if exists +} diff --git a/apparmor.d/fusermount b/apparmor.d/fusermount new file mode 100644 index 00000000..07c08fd3 --- /dev/null +++ b/apparmor.d/fusermount @@ -0,0 +1,59 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/fusermount{,3} +profile fusermount @{exec_path} { + #include + #include + + # To mount anything: + # fusermount: mount failed: Operation not permitted + capability sys_admin, + + # This is needed when mounting MTP devices via some file manager: + # fusermount: mount failed: Permission denied + capability dac_read_search, + + @{exec_path} mr, + + # Where to mount ISO files + owner @{HOME}/*/ rw, + owner @{HOME}/*/*/ rw, + owner @{HOME}/.cache/**/ rw, + + # Be able to mount ISO images + mount fstype={fuse,fuse.*} -> /home/*/*/, + mount fstype={fuse,fuse.*} -> /home/*/*/*/, + mount fstype={fuse,fuse.*} -> /home/*/.cache/**/, + + # Be able to unmount the ISO images + umount /home/*/*/, + umount /home/*/*/*/, + umount /home/*/.cache/**/, + + # Image files to be mounted + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + /etc/fuse.conf r, + + /dev/fuse rw, + + @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/fwupd b/apparmor.d/fwupd new file mode 100644 index 00000000..8286a096 --- /dev/null +++ b/apparmor.d/fwupd @@ -0,0 +1,84 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd +profile fwupd @{exec_path} flags=(complain,attach_disconnected) { + #include + #include + + # This is needed in order to read/write from/to the /dev/tpm0 , device which is owned by tss:tss + capability dac_override, + + capability sys_rawio, + capability syslog, + + @{exec_path} mr, + + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + + /usr/share/fwupd/** r, + owner /var/cache/fwupd/** rw, + owner /var/lib/fwupd/** r, + owner /var/lib/fwupd/pending.db rwk, + + /etc/fwupd/** r, + + # In order to get to this file, the attach_disconnected flag has to be set + owner @{HOME}/.cache/fwupd/lvfs-metadata.xml.gz r, + + /usr/share/mime/mime.cache r, + + @{PROC}/modules r, + + /dev/mem r, + /dev/tpm[0-9] rw, + /dev/drm_dp_aux[0-9]* rw, + /dev/sd[a-z] r, + /dev/bus/usb/ r, + /dev/bus/usb/[0-9]*/[0-9]* rw, + + @{sys}/**/ r, + @{sys}/devices/** r, + + @{sys}/firmware/dmi/tables/smbios_entry_point r, + @{sys}/firmware/dmi/tables/DMI r, + @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, + @{sys}/kernel/security/lockdown r, + + /{var,}run/udev/data/* r, + + /{var,}run/motd.d/fwupd/85-fwupd w, + /{var,}run/motd.d/fwupd/.goutputstream-* rw, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpgsm mr, + + owner /var/lib/fwupd/gnupg/ rw, + owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, + + } + + #include if exists +} diff --git a/apparmor.d/fwupdmgr b/apparmor.d/fwupdmgr new file mode 100644 index 00000000..0ad1aaaa --- /dev/null +++ b/apparmor.d/fwupdmgr @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/fwupdmgr +profile fwupdmgr @{exec_path} flags=(complain) { + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dbus-launch rCx -> dbus, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/fwupd/ rw, + owner @{HOME}/.cache/fwupd/lvfs-metadata.xml.gz{,.*} rw, + + owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, + owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/fd/ r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + + owner @{HOME}/.Xauthority r, + + } + + #include if exists +} diff --git a/apparmor.d/fzsftp b/apparmor.d/fzsftp new file mode 100644 index 00000000..16558b07 --- /dev/null +++ b/apparmor.d/fzsftp @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/fzsftp +profile fzsftp @{exec_path} { + #include + #include + #include + + signal (receive) set=(term, kill) peer=filezilla, + + # Needed? + deny ptrace (trace), + + @{exec_path} mr, + + /{usr/,}bin/dash mrix, + /{usr/,}bin/ps rix, + /{usr/,}bin/ls rix, + + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/tty/drivers r, + deny @{PROC}/@{pids}/stat r, + deny @{PROC}/@{pids}/cmdline r, + + /tmp/ r, + + owner @{HOME}/.putty/randomseed rw, + + # file_inherit + #deny @{HOME}/.cache/filezilla/** rw, + + #include if exists +} diff --git a/apparmor.d/gajim b/apparmor.d/gajim new file mode 100644 index 00000000..2f0f3fd1 --- /dev/null +++ b/apparmor.d/gajim @@ -0,0 +1,107 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gajim +profile gajim @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + /{usr/,}bin/uname rix, + /{usr/,}sbin/ldconfig rix, + + # To play sounds + /{usr/,}bin/aplay rCx -> audio, + /{usr/,}bin/pacat rCx -> audio, + + # Needed for GPG/PGP support + /{usr/,}bin/gpg rCx -> gpg, + + # External apps + /{usr/,}bin/xdg-settings rPUx, + /{usr/,}lib/firefox/firefox rPUx, + + # Gajim plugins + /usr/share/gajim/plugins/{,**} r, + + # Gajim home files + owner @{HOME}/ r, + owner @{HOME}/.config/gajim/{,**} rw, + owner @{HOME}/.local/share/gajim/ rw, + owner @{HOME}/.local/share/gajim/** rwk, + + # Cache + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/gajim/ rw, + owner @{HOME}/.cache/gajim/** rwk, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/) + owner /tmp/* rw, + # owner /var/tmp/* rw, + # owner @{HOME}/* rw, + + # Silencer + deny /usr/share/gajim/** w, + + + profile audio { + #include + #include + + /{usr/,}bin/aplay mr, + /{usr/,}bin/pacat mr, + + owner @{HOME}/.Xauthority r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + } + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + } + + #include if exists +} diff --git a/apparmor.d/games-wesnoth b/apparmor.d/games-wesnoth new file mode 100644 index 00000000..ad930cb5 --- /dev/null +++ b/apparmor.d/games-wesnoth @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/games/wesnoth{,-[0-9]*} +profile games-wesnoth @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mrix, + + /usr/share/games/wesnoth/[0-9]*/{,**} r, + + owner @{HOME}/.config/wesnoth-[0-9]*/{,**} rw, + + owner @{HOME}/.Xauthority r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/.icons/default/index.theme r, + /usr/share/icons/*/index.theme r, + + #include if exists +} diff --git a/apparmor.d/games-wesnoth-sh b/apparmor.d/games-wesnoth-sh new file mode 100644 index 00000000..e18680b3 --- /dev/null +++ b/apparmor.d/games-wesnoth-sh @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/games/wesnoth-[0-9]*{-nolog,-smalgui,_editor} /usr/games/wesnoth-nolog +profile games-wesnoth-sh @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /usr/games/wesnoth{,-[0-9]*} rPx, + + # For the editor + /{usr/,}bin/basename rix, + /{usr/,}bin/sed rix, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/ganyremote b/apparmor.d/ganyremote new file mode 100644 index 00000000..b2ba7df1 --- /dev/null +++ b/apparmor.d/ganyremote @@ -0,0 +1,115 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ganyremote +profile ganyremote @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/gawk rix, + + /{usr/,}bin/anyremote rPx, + /{usr/,}bin/ps rPx, + + /{usr/,}bin/killall rCx -> killall, + /{usr/,}bin/pgrep rCx -> pgrep, + + /{usr/,}bin/pacmd rPUx, + /{usr/,}bin/pactl rPUx, + + # Players + /{usr/,}bin/smplayer rPUx, + /{usr/,}bin/amarok rPUx, + /{usr/,}bin/vlc rPUx, + /{usr/,}bin/mpv rPUx, + /{usr/,}bin/strawberry rPUx, + + owner @{HOME}/ r, + owner @{HOME}/.anyRemote/{,*} rw, + + /usr/share/anyremote/{,**} r, + + deny @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Doc dirs + deny /usr/local/share/ r, + deny /usr/share/ r, + deny /usr/share/doc/ r, + /usr/share/doc/anyremote{,-data}/ r, + + + profile killall { + #include + #include + + capability sys_ptrace, + + signal (send) set=(int, term, kill), + + ptrace (read), + + /{usr/,}bin/killall mr, + + # The /proc/ dir is needed to avoid the following error: + # /proc: Permission denied + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + + } + + profile pgrep { + #include + #include + + /{usr/,}bin/pgrep mr, + + # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + deny @{PROC}/sys/kernel/osrelease r, + + /usr/share/anyremote/{,**} r, + + } + + #include if exists +} diff --git a/apparmor.d/gconfd b/apparmor.d/gconfd new file mode 100644 index 00000000..032c43ff --- /dev/null +++ b/apparmor.d/gconfd @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/gconf/gconfd-[0-9] +profile gconfd @{exec_path} { + #include + #include + + @{exec_path} mr, + + /var/lib/gconf/** r, + /etc/gconf/** r, + + owner @{HOME}/.gconf/ rw, + owner @{HOME}/.gconf/.testing.writeability rw, + + #include if exists +} diff --git a/apparmor.d/gdisk b/apparmor.d/gdisk new file mode 100644 index 00000000..3301ae35 --- /dev/null +++ b/apparmor.d/gdisk @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/gdisk +profile gdisk @{exec_path} { + #include + #include + + # Needed to inform the system of newly created/removed partitions + # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) + # + # Warning: The kernel is still using the old partition table. + # The new table will be used at the next reboot or after you + # run partprobe(8) or kpartx(8) + # The operation has completed successfully. + capability sys_admin, + + @{exec_path} mr, + + # For disk images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + # For backups + owner @{HOME}/**.{bak,back} rwk, + owner /media/*/**.{bak,back} rwk, + + #include if exists +} diff --git a/apparmor.d/geany b/apparmor.d/geany new file mode 100644 index 00000000..545a8d4b --- /dev/null +++ b/apparmor.d/geany @@ -0,0 +1,119 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/geany +profile geany @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + # To edit system files as root. + capability dac_read_search, + capability dac_override, + + deny capability sys_nice, + + @{exec_path} mr, + + # For the sorting feature + /{usr/,}bin/sort rix, + + # When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following + # root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Geany works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + owner @{PROC}/@{pid}/fd/ r, + + /usr/share/geany/{,**} r, + + owner @{HOME}/.config/geany/{,**} rw, + + owner /{run/,}user/[0-9]*/geany/geany_socket.[0-9a-f]* rw, + + # To read/write files in the system. The read permission is granted for all files, the write + # permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in + # the list. + / r, + /boot/ r, + /boot/** r, + owner /boot/** rw, + /etc/ r, + /etc/** r, + owner /etc/** rw, + /efi/ r, + /efi/** r, + owner /efi/** rw, + /home/ r, + /home/** r, + owner /home/** rw, + /lost+found/ r, + /lost+found/** r, + owner /lost+found/** rw, + /media/ r, + /media/** r, + owner /media/** rw, + /mnt/ r, + /mnt/** r, + owner /mnt/** rw, + /opt/ r, + /opt/** r, + owner /opt/** rw, + /root/ r, + /root/** r, + owner /root/** rw, + /run/ r, + /run/** r, + owner /run/** rw, + /srv/ r, + /srv/** r, + owner /srv/** rw, + /tmp/ r, + /tmp/** r, + owner /tmp/** rw, + /usr/ r, + /usr/** r, + owner /usr/** rw, + /var/ r, + /var/** r, + owner /var/** rw, + + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + /{usr/,}bin/dbus-send mr, + /{usr/,}bin/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + + @{HOME}/.Xauthority r, + } + + #include if exists +} diff --git a/apparmor.d/gio-launch-desktop b/apparmor.d/gio-launch-desktop new file mode 100644 index 00000000..40e31baf --- /dev/null +++ b/apparmor.d/gio-launch-desktop @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gio +@{exec_path} += /{usr/,}bin/gio-launch-desktop +@{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop +profile gio-launch-desktop @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + # System files + /etc/gnome/defaults.list r, + /usr/share/mime/* r, + /usr/share/{,*/}applications/{,**} r, + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, + + # User files + owner @{HOME}/.config/mimeapps.list r, + owner @{HOME}/.local/share/applications/{,*.desktop} r, + owner @{PROC}/@{pid}/fd/ r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/git b/apparmor.d/git new file mode 100644 index 00000000..d89e6ef9 --- /dev/null +++ b/apparmor.d/git @@ -0,0 +1,130 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/git +profile git @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}lib/git-core/git rix, + /{usr/,}lib/git-core/git-* rix, + + # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you + # the most similar commands, which it thinks can be used instead. Git binaries are all under + # /usr/bin/ , so allow only this location. + /{usr/,}bin/ r, + deny /{usr/,}sbin/ r, + deny /usr/local/bin/ r, + deny /usr/games/ r, + deny /usr/local/games/ r, + + # These are needed for "git submodule update" + /{usr/,}bin/basename rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/gettext.sh rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/envsubst rix, + /{usr/,}bin/gettext rix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/{,e}grep rix, + + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + /{usr/,}bin/man rPx, + + # For signing commits + /{usr/,}bin/gpg rCx -> gpg, + + # For SSH support + /{usr/,}bin/ssh rCx -> ssh, + + # Difftools + /{usr/,}bin/meld rPUx, + + owner @{HOME}/.config/git/ rw, + owner @{HOME}/.config/git/config rw, + + /usr/share/git-core/{,**} r, + + # For diffs + owner /tmp/git-difftool.*/ rw, + owner /tmp/git-difftool.*/right/{,**} rw, + owner /tmp/git-difftool.*/left/{,**} rw, + owner /tmp/* rw, + + # For git log --show-signature + owner /tmp/.git_vtag_tmp* rw, + + # For android studio + owner /tmp/git-commit-msg-.txt rw, + + # For package building + owner @{HOME}/*/ rw, + owner @{HOME}/*/** rwkl -> @{HOME}/*/**, + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + owner @{BUILD_DIR}/**/bin/* rCx -> exec, + + /etc/mailname r, + + + profile gpg { + #include + #include + + /{usr/,}bin/gpg mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + owner /tmp/.git_vtag_tmp* r, + + } + + profile ssh { + #include + #include + #include + + /{usr/,}bin/ssh mr, + + /etc/ssh/ssh_config.d/{,*} r, + /etc/ssh/ssh_config r, + + owner @{HOME}/.ssh/* r, + owner @{HOME}/.ssh/known_hosts rw, + + owner @{PROC}/@{pid}/fd/ r, + + owner /tmp/git@*:[0-9]* rwl -> /tmp/git@*:[0-9]*.*, + + } + + profile exec { + #include + + owner @{BUILD_DIR}/**/bin/* mr, + + } + + #include if exists +} diff --git a/apparmor.d/globaltime b/apparmor.d/globaltime new file mode 100644 index 00000000..bf4a9a47 --- /dev/null +++ b/apparmor.d/globaltime @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/globaltime +profile globaltime @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.config/globaltime/ rw, + owner @{HOME}/.config/globaltime/globaltimerc{,.*} rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/glxgears b/apparmor.d/glxgears new file mode 100644 index 00000000..4cefc138 --- /dev/null +++ b/apparmor.d/glxgears @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/glxgears +profile glxgears @{exec_path} { + #include + #include + #include + #include + #include + #include + + capability sys_admin, + + # Needed? + deny capability sys_nice, + + signal (receive) set=(term, kill), + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + #include if exists +} diff --git a/apparmor.d/glxinfo b/apparmor.d/glxinfo new file mode 100644 index 00000000..b65d7433 --- /dev/null +++ b/apparmor.d/glxinfo @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/glxinfo +profile glxinfo @{exec_path} { + #include + #include + #include + #include + #include + + capability sys_admin, + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + /usr/share/X11/XErrorDB r, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/gnome-keyring-daemon b/apparmor.d/gnome-keyring-daemon new file mode 100644 index 00000000..ee909354 --- /dev/null +++ b/apparmor.d/gnome-keyring-daemon @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gnome-keyring-daemon +profile gnome-keyring-daemon @{exec_path} { + #include + #include + + # Remove the following error: + # gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used + capability ipc_lock, + + @{exec_path} mr, + + # Keyrings location + owner @{HOME}/.local/share/keyrings/ rw, + owner @{HOME}/.local/share/keyrings/* rwl, + + # Seahorse and SSH keys + owner @{HOME}/.ssh/ r, + owner @{HOME}/.ssh/** r, + + owner /{,var/}run/user/[0-9]*/keyring/ rw, + owner /{,var/}run/user/[0-9]*/keyring/* rw, + + #include if exists +} diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome new file mode 100644 index 00000000..7c1e3b9c --- /dev/null +++ b/apparmor.d/google-chrome-chrome @@ -0,0 +1,197 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable} +@{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable} +@{CHROME_CACHEDIR} = @{HOME}/.cache/google-chrome{,-beta,-unstable} + +@{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable} +profile google-chrome-chrome @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + ptrace (trace) peer=@{profile_name}, + + signal (send) set=(term, kill) peer=keepassxc-proxy, + + @{exec_path} mrix, + + @{CHROME_INSTALLDIR}/{,**} r, + @{CHROME_INSTALLDIR}/chrome-sandbox rPx, + @{CHROME_INSTALLDIR}/google-chrome{,-beta,-unstable} rPx, + @{CHROME_INSTALLDIR}/nacl_helper rix, + @{CHROME_INSTALLDIR}/xdg-mime rix, + @{CHROME_INSTALLDIR}/xdg-settings rix, + + # For "google-chrome --help" + /{usr/,}bin/man rPUx, + + # For storing passwords externally + /{usr/,}bin/keepassxc-proxy rPUx, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-open rCx -> open, + + # no new privs + deny /{usr/,}bin/xdg-desktop-menu rx, + deny /{usr/,}bin/xdg-icon-resource rx, + + /{usr/,}bin/xdg-mime rPUx, + /{usr/,}bin/xdg-settings rPUx, + + # To remove the following error: + # Error initializing NSS with a persistent database + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + # Google Chrome home files + owner @{HOME}/ r, + owner @{CHROME_HOMEDIR}/ rw, + owner @{CHROME_HOMEDIR}/** rwk, + # Flashplayer + owner @{CHROME_HOMEDIR}/PepperFlash/**/libpepflashplayer.so mr, + + owner @{HOME}/.local/share/.com.google.Chrome.* rw, + + # Cache files + owner @{HOME}/.cache/ rw, + owner @{CHROME_CACHEDIR}/{,**/} rw, + owner @{CHROME_CACHEDIR}/*/**/{*-,}index rw, + owner @{CHROME_CACHEDIR}/*/**/[a-f0-9]*_? rw, + owner @{CHROME_CACHEDIR}/*/**/todelete_* rw, + + # To remove browser history/cache + owner @{CHROME_CACHEDIR}/PnaclTranslationCache/index rw, + owner @{CHROME_CACHEDIR}/PnaclTranslationCache/data_[0-9]*[0-9] rw, + + # For importing data (bookmarks, cookies, etc) from Firefox + owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox/*/ r, + owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/logins.json r, + # For importing data from Chromium + owner "@{HOME}/.config/chromium/Local State" r, + owner @{HOME}/.config/chromium/Singleton{Lock,Socket,Cookie} w, + owner "@{HOME}/.config/chromium/*/Login Data{,-journal}" rwk, + owner @{HOME}/.config/chromium/*/ r, + owner @{HOME}/.config/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Needed or Google Chrome crash with the following error: + # illegal hardware instruction + @{PROC}/ r, + # + deny @{PROC}/vmstat r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/@{pid}/fd/ r, + deny @{PROC}/@{pids}/stat r, + deny @{PROC}/@{pids}/statm r, + # To remove the following error: + # Failed to adjust OOM score of renderer with pid : Permission denied + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + # + deny @{PROC}/@{pids}/cmdline r, + deny owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pid}/task/ r, + deny @{PROC}/@{pids}/task/@{tid}/stat r, + deny @{PROC}/@{pids}/task/@{tid}/status r, + deny owner @{PROC}/@{pid}/limits r, + deny owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/diskstats r, + + owner /dev/shm/.com.google.Chrome.* rw, + + # To play DRM media (protected content) + @{CHROME_INSTALLDIR}/libwidevinecdm.so mr, + @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Udev enumeration + @{sys}/bus/ r, + @{sys}/bus/**/devices/ r, + @{sys}/devices/**/uevent r, + @{sys}/class/ r, + @{sys}/class/**/ r, + /{,var/}run/udev/data/* r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + + deny @{sys}/devices/virtual/tty/tty[0-9]/active r, + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + # The irq file is needed to render pages. + @{sys}/devices/pci[0-9]*/**/irq r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/.com.google.Chrome.* rw, + owner /tmp/.com.google.Chrome.*/{,**} rw, + # For installing/updating extensions + owner /tmp/scoped_dir*/{,**} rw, + + # Silencer + deny @{CHROME_INSTALLDIR}/** w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/google-chrome-chrome-sandbox b/apparmor.d/google-chrome-chrome-sandbox new file mode 100644 index 00000000..6aab4588 --- /dev/null +++ b/apparmor.d/google-chrome-chrome-sandbox @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable} +@{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable} +@{CHROME_CACHEDIR} = @{HOME}/.cache/google-chrome{,-beta,-unstable} + +@{exec_path} = @{CHROME_INSTALLDIR}/chrome-sandbox +profile google-chrome-chrome-sandbox @{exec_path} { + #include + #include + + # For kernel unprivileged user namespaces + capability sys_admin, + capability sys_chroot, + capability setuid, + capability setgid, + + # optional + capability sys_resource, + + @{exec_path} mr, + @{CHROME_INSTALLDIR}/chrome rPx, + @{CHROME_INSTALLDIR}/nacl_helper rix, + + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + + @{PROC} r, + @{PROC}/@{pids}/ r, + owner @{PROC}/@{pid}/fd/ r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + #include if exists +} diff --git a/apparmor.d/google-chrome-google-chrome b/apparmor.d/google-chrome-google-chrome new file mode 100644 index 00000000..d5bb1c17 --- /dev/null +++ b/apparmor.d/google-chrome-google-chrome @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable} +@{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable} +@{CHROME_CACHEDIR} = @{HOME}/.cache/google-chrome{,-beta,-unstable} + +@{exec_path} = @{CHROME_INSTALLDIR}/google-chrome{,-beta,-unstable} +profile google-chrome-google-chrome @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash rix, + + /{usr/,}bin/readlink rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, + + @{CHROME_INSTALLDIR}/chrome rPx, + + owner @{PROC}/@{pid}/fd/* rw, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/gpa b/apparmor.d/gpa new file mode 100644 index 00000000..8902b764 --- /dev/null +++ b/apparmor.d/gpa @@ -0,0 +1,62 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpa +profile gpa @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/gpgconf rPx, + /{usr/,}bin/gpg-connect-agent rPx, + /{usr/,}bin/gpg rPx, + /{usr/,}bin/gpgsm rPx, + + /usr/share/gpa/{,*} r, + + owner @{HOME}/.gnupg/gpa.conf rw, + owner @{HOME}/.gnupg/S.uiserver rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + /tmp/ r, + + # To create/verify singatures + owner /**.{asc,sig,sign} rw, + + # To encrypt/decrypt files + owner /**.{gpg,txt} rw, + + # Files to verify + owner /**.tar.gz r, + + owner /tmp/xauth-[0-9]*-_[0-9] r, + + # External apps + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/gparted b/apparmor.d/gparted new file mode 100644 index 00000000..bae81d0c --- /dev/null +++ b/apparmor.d/gparted @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/gparted +profile gparted @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, + + /{usr/,}lib/udisks2/udisks2-inhibit rix, + /usr/libexec/udisks2/udisks2-inhibit rix, + /{var/,}run/udev/rules.d/ rw, + /{var/,}run/udev/rules.d/90-udisks-inhibit.rules rw, + + /{usr/,}bin/udevadm rCx -> udevadm, + + /{usr/,}sbin/gpartedbin rPx, + /{usr/,}bin/ps rPx, + /{usr/,}bin/xhost rPx, + /{usr/,}bin/pkexec rPx, + /{usr/,}bin/systemctl rPx -> child-systemctl, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile udevadm { + #include + + ptrace (read), + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + @{sys}/** r, + @{sys}/devices/virtual/block/**/uevent rw, + @{sys}/devices/pci[0-9]*/**/block/**/uevent rw, + /{var/,}run/udev/data/* r, + + } + + #include if exists +} diff --git a/apparmor.d/gpartedbin b/apparmor.d/gpartedbin new file mode 100644 index 00000000..0eea5cc7 --- /dev/null +++ b/apparmor.d/gpartedbin @@ -0,0 +1,228 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/gpartedbin +profile gpartedbin @{exec_path} { + #include + #include + #include + #include + #include + #include + + # Needed to inform the system of newly created/removed partitions. + # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) + # + # Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the + # kernel of the change, probably because it/they are in use. As a result, the old partition(s) + # will remain in use. You should reboot now before making further changes. + capability sys_admin, + + # When gparted is started via pkexec. + #capability dac_read_search, + + # Needed? (##FIXME##) + capability sys_rawio, + + # Needed? + deny capability sys_nice, + + # Needed? + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}sbin/dmidecode rPx, + /{usr/,}sbin/hdparm rPx, + /{usr/,}sbin/blkid rPx, + + /{usr/,}bin/udevadm rCx -> udevadm, + /{usr/,}bin/mount rCx -> mount, + /{usr/,}bin/umount rCx -> umount, + + # RAID + /{usr/,}sbin/dmraid rPUx, + + # Device mapper + /{usr/,}sbin/dmsetup rPUx, + + # LVM + /{usr/,}sbin/lvm rPUx, + + # NTFS + # The following tools link to mkntfs: + # mkfs.ntfs + /{usr/,}sbin/mkntfs rPx, + /{usr/,}sbin/ntfslabel rPx, + /{usr/,}sbin/ntfsresize rPx, + /{usr/,}bin/ntfsinfo rPx, + + # FAT16/32 + # The following tools link to mtools: + # mattrib, mbadblocks, mcat, mcd, mclasserase, mcopy, mdel, + # mdeltree, mdir, mdu, mformat, minfo, mlabel, mmd, mmount, + # mmove, mpartition, mrd, mren, mshortname, mshowfat, + # mtoolstest, mtype, mzip + /{usr/,}bin/mtools rPx, + # The following tools link to mkfs.fat: + # mkdosfs, mkfs.msdos, mkfs.vfat + /{usr/,}sbin/mkfs.fat rPx, + # The following tools link to fsck.fat: + # dosfsck, fsck.msdos, fsck.vfat + /{usr/,}sbin/fsck.fat rPx, + + # EXT2/3/4 + # The following tools link to mke2fs: + # mkfs.ext2, mkfs.ext3, mkfs.ext4 + /{usr/,}sbin/mke2fs rPx, + # The following tools link to e2fsck: + # fsck.ext2, fsck.ext3, fsck.ext4 + /{usr/,}sbin/e2fsck rPx, + /{usr/,}sbin/resize2fs rPx, + # The following tools link to dumpe2fs: + # e2mmpstatus + /{usr/,}sbin/dumpe2fs rPx, + # The following tools link to tune2fs: + # e2label + /{usr/,}sbin/tune2fs rPx, + /{usr/,}sbin/e2image rPx, + + # BTRFS + /{usr/,}sbin/mkfs.btrfs rPx, + # The following tools link to btrfs: + # btrfsck + /{usr/,}bin/btrfs rPx, + /{usr/,}bin/btrfstune rPx, + /{usr/,}sbin/fsck.btrfs rPx, + /{usr/,}sbin/mkfs.btrfs rPx, + + # SWAP + /{usr/,}sbin/mkswap rPx, + /{usr/,}sbin/swaplabel rPx, + /{usr/,}sbin/swapon rPx, + /{usr/,}sbin/swapoff rPx, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + @{PROC}/version r, + @{PROC}/swaps r, + @{PROC}/partitions r, + @{PROC}/devices r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + /dev/mapper/control rw, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /{var/,}run/mount/utab r, + + # For fsck of the btrfs filesystem + owner /tmp/gparted-*/ rw, + + # Started as root so without "owner". + @{HOME}/.Xauthority r, + + + profile mount { + #include + + capability sys_admin, + + /{usr/,}bin/mount mr, + + mount /dev/sd[a-z][0-9]* -> /tmp/gparted-*/, + + mount /dev/sd[a-z][0-9]* -> /boot/, + mount /dev/sd[a-z][0-9]* -> /media/*/, + mount /dev/sd[a-z][0-9]* -> /media/*/*/, + + @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r, + @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/dev r, + @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/sd[a-z][0-9]*/ r, + @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/sd[a-z][0-9]*/{start,size} r, + + /dev/sd[a-z] r, + /dev/sd[a-z][0-9]* r, + + } + + profile umount { + #include + + capability sys_admin, + + /{usr/,}bin/umount mr, + + umount /tmp/gparted-*/, + + umount /boot/, + umount /media/*/, + umount /media/*/*/, + + owner @{PROC}/@{pid}/mountinfo r, + + owner /{,var/}run/mount/ rw, + owner /{,var/}run/mount/utab{,.*} rw, + owner /{,var/}run/mount/utab.lock wk, + + } + + profile udevadm { + #include + + ptrace (read), + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + # file_inherit + #include # lots of files in this abstraction get inherited + /dev/mapper/control rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + # Allowed apps to open + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/gpasswd b/apparmor.d/gpasswd new file mode 100644 index 00000000..e28a9128 --- /dev/null +++ b/apparmor.d/gpasswd @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpasswd +profile gpasswd @{exec_path} { + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + # gpasswd is a SETUID binary + capability setuid, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/loginuid r, + + /etc/login.defs r, + + /etc/{group,gshadow} rw, + /etc/{group,gshadow}.@{pid} w, + /etc/{group,gshadow}- w, + /etc/{group,gshadow}+ rw, + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/gpg b/apparmor.d/gpg new file mode 100644 index 00000000..8ac11573 --- /dev/null +++ b/apparmor.d/gpg @@ -0,0 +1,68 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpg +profile gpg @{exec_path} { + #include + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/gpgconf rPx, + /{usr/,}bin/gpg-connect-agent rPx, + /{usr/,}bin/gpg-agent rPx, + /{usr/,}bin/dirmngr rPx, + /{usr/,}bin/gpgsm rPx, + /{usr/,}lib/gnupg/scdaemon rPx, + + # GPG config files + owner @{HOME}/ r, + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + owner /var/lib/*/gnupg/ rw, + owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, + + owner /var/lib/*/.gnupg/ rw, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + + # For flatpak + owner /tmp/ostree-gpg-*/ r, + owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + + # For ToR Browser + owner @{HOME}/.local/share/torbrowser/gnupg_homedir/ r, + owner @{HOME}/.local/share/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/.local/share/torbrowser/gnupg_homedir/**, + + # For spamassassin + owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**, + + # Verify files + owner @{HOME}/** r, + owner /media/*/** r, + + owner @{PROC}/@{pid}/task/@{tid}/stat rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/fd/ r, + + /etc/inputrc r, + + # file_inherit + /tmp/#[0-9]*[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/gpg-agent b/apparmor.d/gpg-agent new file mode 100644 index 00000000..89c81e38 --- /dev/null +++ b/apparmor.d/gpg-agent @@ -0,0 +1,60 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpg-agent +profile gpg-agent @{exec_path} { + #include + #include + + signal (receive) peer=pinentry-*, + + @{exec_path} mr, + + /{usr/,}lib/gnupg/scdaemon rPx, + + /usr/share/gnupg/* r, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/gpg-agent.conf r, + owner @{HOME}/.gnupg/private-keys-v1.d/ rw, + owner @{HOME}/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + + owner /var/lib/*/.gnupg/ rw, + owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, + owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /var/lib/*/.gnupg/S.gpg-agent rw, + + owner /var/lib/*/gnupg/ rw, + owner /var/lib/*/gnupg/private-keys-v1.d/ rw, + owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /var/lib/*/gnupg/S.gpg-agent rw, + + # For debuild + owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w, + owner /{var/,}run/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, + + @{PROC}/@{pid}/fd/ r, + + # PIN-entry apps + /{usr/,}bin/pinentry-* rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + # Silencer + deny /{usr/,}bin/.gnupg/ w, + + #include if exists +} diff --git a/apparmor.d/gpg-connect-agent b/apparmor.d/gpg-connect-agent new file mode 100644 index 00000000..00bcc281 --- /dev/null +++ b/apparmor.d/gpg-connect-agent @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpg-connect-agent +profile gpg-connect-agent @{exec_path} { + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/gpgconf b/apparmor.d/gpgconf new file mode 100644 index 00000000..592ca620 --- /dev/null +++ b/apparmor.d/gpgconf @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpgconf +profile gpgconf @{exec_path} { + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/gpg-connect-agent rPx, + /{usr/,}bin/gpg rPx, + /{usr/,}bin/gpg-agent rPx, + /{usr/,}bin/dirmngr rPx, + /{usr/,}bin/gpgsm rPx, + /{usr/,}lib/gnupg/scdaemon rPx, + + /{usr/,}bin/pinentry-* rPx, + + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + owner @{PROC}/@{pid}/task/@{tid}/stat rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/fd/ r, + + /etc/inputrc r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/gpgsm b/apparmor.d/gpgsm new file mode 100644 index 00000000..2e5851fa --- /dev/null +++ b/apparmor.d/gpgsm @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpgsm +profile gpgsm @{exec_path} { + #include + #include + + @{exec_path} mr, + + deny /usr/bin/.gnupg/ w, + + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + + #include if exists +} diff --git a/apparmor.d/gpo b/apparmor.d/gpo new file mode 100644 index 00000000..50a7e93d --- /dev/null +++ b/apparmor.d/gpo @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpo +profile gpo @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + owner @{PROC}/@{pid}/fd/ r, + + owner @{HOME}/gPodder/ rw, + owner @{HOME}/gPodder/** rwk, + + /usr/share/gpodder/extensions/{,*.py} r, + + /etc/inputrc r, + + owner /var/tmp/etilqs_[0-9a-f]* rw, + + #include if exists +} diff --git a/apparmor.d/gpodder b/apparmor.d/gpodder new file mode 100644 index 00000000..d9e7c1fe --- /dev/null +++ b/apparmor.d/gpodder @@ -0,0 +1,91 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpodder +profile gpodder @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/uname rix, + + owner @{HOME}/ r, + owner @{HOME}/gPodder/ rw, + owner @{HOME}/gPodder/** rwk, + + /usr/share/gpodder/{,**} r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner /var/tmp/etilqs_[0-9a-f]* rw, + + /etc/mime.types r, + + /usr/share/*/*.desktop r, + + /{usr/,}bin/xdg-settings rPUx, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + # A/V players + /{usr/,}bin/smplayer rPUx, + /{usr/,}bin/vlc rPUx, + /{usr/,}bin/mpv rPUx, + + # Open in a web browser + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/gpodder-migrate2tres b/apparmor.d/gpodder-migrate2tres new file mode 100644 index 00000000..e4ca9592 --- /dev/null +++ b/apparmor.d/gpodder-migrate2tres @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gpodder-migrate2tres +profile gpodder-migrate2tres @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + /{usr/,}bin/uname rix, + + owner @{PROC}/@{pid}/fd/ r, + + owner @{HOME}/gPodder/ rw, + owner @{HOME}/gPodder/** rwk, + + #include if exists +} diff --git a/apparmor.d/groupadd b/apparmor.d/groupadd new file mode 100644 index 00000000..df41be2b --- /dev/null +++ b/apparmor.d/groupadd @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/groupadd +profile groupadd @{exec_path} { + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + @{exec_path} mr, + + /etc/login.defs r, + + /etc/{group,gshadow} rw, + /etc/{group,gshadow}.@{pid} w, + /etc/{group,gshadow}- w, + /etc/{group,gshadow}+ rw, + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/groupdel b/apparmor.d/groupdel new file mode 100644 index 00000000..1e92d1d0 --- /dev/null +++ b/apparmor.d/groupdel @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/groupdel +profile groupdel @{exec_path} { + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + @{exec_path} mr, + + /etc/login.defs r, + + /etc/{group,gshadow} rw, + /etc/{group,gshadow}.@{pid} w, + /etc/{group,gshadow}- w, + /etc/{group,gshadow}+ rw, + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/groupmod b/apparmor.d/groupmod new file mode 100644 index 00000000..71eac769 --- /dev/null +++ b/apparmor.d/groupmod @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/groupmod +profile groupmod @{exec_path} { + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + @{exec_path} mr, + + /etc/login.defs r, + + /etc/{passwd,gshadow,group} rw, + /etc/{passwd,gshadow,group}.@{pid} w, + /etc/{passwd,gshadow,group}- w, + /etc/{passwd,gshadow,group}+ rw, + + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/groups b/apparmor.d/groups new file mode 100644 index 00000000..150f4502 --- /dev/null +++ b/apparmor.d/groups @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/groups +profile groups @{exec_path} { + #include + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/grpck b/apparmor.d/grpck new file mode 100644 index 00000000..6c1442b1 --- /dev/null +++ b/apparmor.d/grpck @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/grpck +profile grpck @{exec_path} { + #include + #include + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + @{exec_path} mr, + + /etc/login.defs r, + + /etc/{gshadow,group} rw, + /etc/{gshadow,group}.@{pid} rw, + /etc/{gshadow,group}- w, + /etc/{gshadow,group}+ rw, + + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/gsmartcontrol b/apparmor.d/gsmartcontrol new file mode 100644 index 00000000..ddba75b8 --- /dev/null +++ b/apparmor.d/gsmartcontrol @@ -0,0 +1,90 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/gsmartcontrol +profile gsmartcontrol @{exec_path} { + #include + #include + #include + #include + #include + #include + + capability dac_read_search, + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + /{usr/,}sbin/smartctl rPx, + + # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Gsmartcontrol works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + owner @{HOME}/.config/gsmartcontrol/ rw, + owner @{HOME}/.config/gsmartcontrol/gsmartcontrol.conf rw, + + # As it's started as root + @{HOME}/.Xauthority r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/partitions r, + owner @{PROC}/devices r, + owner @{PROC}/scsi/scsi r, + owner @{PROC}/scsi/sg/devices r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as + # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and + # hence this behavior should be blocked. + deny /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + /{usr/,}bin/dbus-send mr, + /{usr/,}bin/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + + @{HOME}/.Xauthority r, + } + + #include if exists +} diff --git a/apparmor.d/gsmartcontrol-root b/apparmor.d/gsmartcontrol-root new file mode 100644 index 00000000..5e12622c --- /dev/null +++ b/apparmor.d/gsmartcontrol-root @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gsmartcontrol-root +profile gsmartcontrol-root @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash rix, + + /{usr/,}bin/which rix, + + /{usr/,}bin/pkexec rPx, + + #include if exists +} diff --git a/apparmor.d/gtk-update-icon-cache b/apparmor.d/gtk-update-icon-cache new file mode 100644 index 00000000..1b5b0135 --- /dev/null +++ b/apparmor.d/gtk-update-icon-cache @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gtk-update-icon-cache +profile gtk-update-icon-cache @{exec_path} { + #include + #include + + @{exec_path} mr, + + /usr/share/icons/** r, + /usr/share/icons/**/.icon-theme.cache rw, + /usr/share/icons/**/icon-theme.cache rw, + + #include if exists +} diff --git a/apparmor.d/gtk-youtube-viewer b/apparmor.d/gtk-youtube-viewer new file mode 100644 index 00000000..b175fa2d --- /dev/null +++ b/apparmor.d/gtk-youtube-viewer @@ -0,0 +1,114 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/gtk{,2,3}-youtube-viewer +profile gtk-youtube-viewer @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/xterm rCx -> xterm, + /{usr/,}bin/rxvt rCx -> xterm, + /{usr/,}bin/urxvt rCx -> xterm, + + # Players + /{usr/,}bin/mpv rPx, + /{usr/,}bin/vlc rPx, + /{usr/,}bin/smplayer rPx, + + /{usr/,}lib/firefox/firefox rPx, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + owner @{HOME}/.config/youtube-viewer/{,*} rw, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/youtube-viewer/ rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + + profile xterm { + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(hup, winch) peer=youtube-viewer, + signal (send) set=(hup, winch) peer=youtube-viewer//wget, + + /{usr/,}bin/xterm mr, + /{usr/,}bin/rxvt mr, + /{usr/,}bin/urxvt mr, + + /{usr/,}bin/zsh rix, + /{usr/,}bin/bash rix, + + /{usr/,}bin/youtube-viewer rPx, + + owner @{PROC}/@{pid}/loginuid r, + + /etc/shells r, + /etc/zsh/* r, + + /etc/X11/app-defaults/* r, + + /usr/include/X11/bitmaps/vlines2 r, + + owner @{HOME}/.urxvt/** r, + + owner @{HOME}/.Xauthority r, + owner @{HOME}/.ICEauthority r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/hardinfo b/apparmor.d/hardinfo new file mode 100644 index 00000000..54a52b7b --- /dev/null +++ b/apparmor.d/hardinfo @@ -0,0 +1,173 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/hardinfo +profile hardinfo @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + # This is needed to display some content of devices -> resources + capability sys_admin, + + # This is for benchmarks + capability sys_nice, + + @{exec_path} mrix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/ldd rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/ruby2.[0-9]* rix, + /{usr/,}bin/make rix, + /{usr/,}bin/strace rix, + /{usr/,}bin/gdb rix, + /{usr/,}bin/last rix, + /{usr/,}bin/iconv rix, + /{usr/,}sbin/route rix, + /{usr/,}bin/valgrind{,.bin} rix, + /{usr/,}lib/@{multiarch}/valgrind/memcheck-*-linux rix, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/ccache rCx -> ccache, + /{usr/,}bin/kmod rCx -> kmod, + + /{usr/,}bin/glxinfo rPx, + /{usr/,}bin/xdpyinfo rPx, + /{usr/,}bin/lspci rPx, + /{usr/,}bin/lsusb rPx, + /{usr/,}bin/netstat rPx, + /{usr/,}bin/qtchooser rPx, + + /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + + /usr/share/hardinfo/{,**} r, + + @{sys}/class/power_supply/ r, + @{sys}/class/thermal/ r, + @{sys}/bus/i2c/drivers/eeprom/ r, + + @{sys}/devices/system/cpu/** r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]/temp* r, + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r, + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, + @{sys}/devices/pci[0-9]*/**/eeprom r, + @{sys}/devices/pci[0-9]*/**/hwmon/hwmon[0-9]*/temp* r, + @{sys}/devices/**/power_supply/** r, + + @{PROC}/@{pid}/net/wireless r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/arp r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/uptime r, + @{PROC}/loadavg r, + @{PROC}/ioports r, + @{PROC}/iomem r, + @{PROC}/dma r, + @{PROC}/asound/cards r, + @{PROC}/scsi/scsi r, + @{PROC}/bus/input/devices r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/@{pids}/net/route r, + + /etc/fstab r, + /etc/exports r, + + /var/log/wtmp r, + + owner @{HOME}/.hardinfo/ rw, + + owner /tmp/#[0-9]*[0-9] rw, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile ccache { + #include + + /{usr/,}bin/ccache mr, + + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + + /media/ccache/*/** rw, + + } + + profile javac { + #include + #include + + /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/javac mr, + + /etc/java-[0-9]*-openjdk/jvm-amd64.cfg r, + + /usr/share/java/*.jar r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, + + /sys/fs/cgroup/** r, + + owner /tmp/hsperfdata_*/ rw, + owner /tmp/hsperfdata_*/@{pid} rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + @{PROC}/cmdline r, + @{PROC}/modules r, + @{PROC}/ioports r, + + } + + #include if exists +} diff --git a/apparmor.d/hciconfig b/apparmor.d/hciconfig new file mode 100644 index 00000000..168a7668 --- /dev/null +++ b/apparmor.d/hciconfig @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/hciconfig +profile hciconfig @{exec_path} flags=(complain) { + #include + + capability net_raw, + + capability net_admin, + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/hddtemp b/apparmor.d/hddtemp new file mode 100644 index 00000000..cf1541d6 --- /dev/null +++ b/apparmor.d/hddtemp @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/hddtemp +profile hddtemp @{exec_path} { + #include + + # To remove the following errors: + # /dev/sda: Permission denied + capability sys_rawio, + + # There's the following error in strace: + # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) + # This should be covered by CAP_SYS_RAWIO instead. + # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) + # It looks like hddtemp works just fine without it. + deny capability sys_admin, + + @{exec_path} mr, + + # Monitored hard drives + /dev/sd[a-z] r, + + # Database file that allows hddtemp to recognize supported drives + /etc/hddtemp.db r, + + # Needed when the hddtemp daemon is started in the TCP/IP mode + /etc/gai.conf r, + + #include if exists +} diff --git a/apparmor.d/hdparm b/apparmor.d/hdparm new file mode 100644 index 00000000..b05a4c28 --- /dev/null +++ b/apparmor.d/hdparm @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/hdparm +profile hdparm @{exec_path} flags=(complain) { + #include + #include + + # To remove the following errors: + # re-writing sector *: BLKFLSBUF failed: Permission denied + capability sys_admin, + + # To remove the following errors: + # /dev/sda: HDIO_DRIVE_CMD(identify) failed: Operation not permitted + capability sys_rawio, + + @{exec_path} mr, + + /etc/hdparm.conf r, + + # for hdparm --fibmap + @{PROC}/devices r, + + # Image files + @{HOME}/** r, + /media/*/** r, + + #include if exists +} diff --git a/apparmor.d/hexchat b/apparmor.d/hexchat new file mode 100644 index 00000000..862ab317 --- /dev/null +++ b/apparmor.d/hexchat @@ -0,0 +1,56 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/hexchat +profile hexchat @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + # For python/perl plugins + #include + #include + #include + + @{exec_path} mr, + + # Hexchat plugins + /{usr/,}lib/@{multiarch}/hexchat/** r, + /{usr/,}lib/@{multiarch}/hexchat/plugins/*.so mr, + + # Hexchat home files + owner @{HOME}/ r, + owner @{HOME}/.config/hexchat/ rw, + owner @{HOME}/.config/hexchat/** rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + /etc/fstab r, + + # External apps + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/hostname b/apparmor.d/hostname new file mode 100644 index 00000000..0b4c1978 --- /dev/null +++ b/apparmor.d/hostname @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} +profile hostname @{exec_path} { + #include + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/htop b/apparmor.d/htop new file mode 100644 index 00000000..5557c073 --- /dev/null +++ b/apparmor.d/htop @@ -0,0 +1,79 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/htop +profile htop @{exec_path} { + #include + #include + + # To be able to read the /proc/ files of all processes in the system. + capability dac_read_search, + + # To manage priorities. + capability sys_nice, + + # To terminate other users' processes when htop is started as root. + capability kill, + + capability sys_ptrace, + + signal (send), + ptrace (read), + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/loadavg r, + @{PROC}/uptime r, + @{PROC}/tty/drivers r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/wchan r, + @{PROC}/@{pids}/io r, + + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/io r, + + owner @{PROC}/@{pid}/smaps_rollup r, + + owner @{HOME}/.config/htop/ rw, + owner @{HOME}/.config/htop/htoprc rw, + + # When started in TTY, to remove the following error: + # htop[]: *** err + # /dev/tty2: Permission denied + # htop[]: *** err + # htop[]: Oh, oh, it's an error! possibly I die! + /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/hugeadm b/apparmor.d/hugeadm new file mode 100644 index 00000000..f5234127 --- /dev/null +++ b/apparmor.d/hugeadm @@ -0,0 +1,67 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/hugeadm +profile hugeadm @{exec_path} { + #include + #include + + # To mount anything under /var/lib/hugetlbfs/** . + capability sys_admin, + + # For chown on the /var/lib/hugetlbfs/ dir and subdirs. + capability chown, + + # For chmod on the /var/lib/hugetlbfs/ dir and subdirs. + capability fowner, + + # For setting the set-group-ID bit on the /var/lib/hugetlbfs/group/*/ dirs. + capability fsetid, + + # To create /var/lib/hugetlbfs/user/*/pagesize-*/ subdir because the /var/lib/hugetlbfs/user/*/ + # parent dir is owned by a different user than root with the "drwx------" permissions. + capability dac_read_search, + capability dac_override, + + @{exec_path} mr, + + mount fstype=hugetlbfs -> /var/lib/hugetlbfs/pagesize-*/, + mount fstype=hugetlbfs -> /var/lib/hugetlbfs/{user,group}/*/pagesize-*/, + mount fstype=hugetlbfs -> /var/lib/hugetlbfs/global/pagesize-*/, + + /var/lib/hugetlbfs/ w, + /var/lib/hugetlbfs/pagesize-*/ w, + /var/lib/hugetlbfs/{user,group}/ w, + /var/lib/hugetlbfs/{user,group}/*/ w, + /var/lib/hugetlbfs/{user,group}/*/pagesize-*/ w, + /var/lib/hugetlbfs/global/ w, + /var/lib/hugetlbfs/global/pagesize-*/ w, + + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/vm/nr_overcommit_hugepages r, + # For the "--set-recommended-min_free_kbytes" parameter. + owner @{PROC}/sys/vm/min_free_kbytes w, + # For the "--set-recommended-shmmax" parameter. + owner @{PROC}/sys/kernel/shmmax w, + # For the "--set-shm-group" parameter. + owner @{PROC}/sys/vm/hugetlb_shm_group w, + + @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/* r, + owner @{sys}/kernel/mm/transparent_hugepage/* rw, + + #include if exists +} diff --git a/apparmor.d/hugo b/apparmor.d/hugo new file mode 100644 index 00000000..85065668 --- /dev/null +++ b/apparmor.d/hugo @@ -0,0 +1,44 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{HUGO_DIR} = /media/debuilder/hugo + +@{exec_path} = /{usr/,}bin/hugo +profile hugo @{exec_path} { + #include + + @{exec_path} mr, + + # Hugo dirs + owner @{HOME}/hugo/ r, + owner @{HOME}/hugo/** r, + owner @{HOME}/hugo/**/public/ rw, + owner @{HOME}/hugo/**/public/** rw, + owner @{HUGO_DIR}/ r, + owner @{HUGO_DIR}/** r, + owner @{HUGO_DIR}/**/public/ rw, + owner @{HUGO_DIR}/**/public/** rw, + + owner /tmp/hugo_cache/ rw, + owner /tmp/hugo_cache/**/ rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{PROC}/sys/net/core/somaxconn r, + + /etc/mime.types r, + + #include if exists +} diff --git a/apparmor.d/hw-probe b/apparmor.d/hw-probe new file mode 100644 index 00000000..1102b2ba --- /dev/null +++ b/apparmor.d/hw-probe @@ -0,0 +1,228 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/hw-probe +profile hw-probe @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/pwd rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/dash rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sleep rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/uname rix, + + /{usr/,}bin/dd rix, + + /{usr/,}bin/efivar rix, + /{usr/,}bin/efibootmgr rix, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /{usr/,}sbin/dkms rPx, + /{usr/,}sbin/fdisk rPx, + /{usr/,}bin/upower rPx, + /{usr/,}sbin/hdparm rPx, + /{usr/,}sbin/smartctl rPx, + /{usr/,}bin/sensors rPx, + /{usr/,}bin/lsblk rPx, + /{usr/,}bin/dmesg rPx, + /{usr/,}bin/hciconfig rPx, + /{usr/,}bin/uptime rPx, + /{usr/,}sbin/rfkill rPx, + /{usr/,}sbin/biosdecode rPx, + /{usr/,}sbin/dmidecode rPx, + /{usr/,}bin/edid-decode rPx, + /{usr/,}bin/cpupower rPx, + /{usr/,}bin/acpi rPx, + /{usr/,}bin/lspci rPx, + /{usr/,}bin/lscpu rPx, + /{usr/,}bin/lsusb rPx, + /{usr/,}bin/usb-devices rPx, + /{usr/,}sbin/hwinfo rPx, + /{usr/,}bin/glxinfo rPx, + /{usr/,}sbin/i2cdetect rPx, + /{usr/,}bin/glxgears rPx, + /{usr/,}sbin/memtester rPx, + /{usr/,}bin/xrandr rPx, + /{usr/,}bin/inxi rPx, + /{usr/,}bin/aplay rPx, + /{usr/,}bin/amixer rPx, + /{usr/,}bin/xdpyinfo rPx, + /{usr/,}bin/df rPx, + /{usr/,}bin/cpuid rPx, + /{usr/,}bin/xinput rPx, + + /{usr/,}bin/systemctl rPx -> child-systemctl, + + /{usr/,}bin/find rCx -> find, + /{usr/,}bin/journalctl rCx -> journalctl, + /{usr/,}bin/systemd-analyze rCx -> systemd-analyze, + /{usr/,}bin/killall rCx -> killall, + /{usr/,}bin/udevadm rCx -> udevadm, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}sbin/iw rCx -> netconfig, + /{usr/,}sbin/ifconfig rCx -> netconfig, + /{usr/,}sbin/iwconfig rCx -> netconfig, + /{usr/,}sbin/ethtool rCx -> netconfig, + + owner /root/HW_PROBE/{,**} rw, + + owner /tmp/*/ rw, + owner /tmp/*/cpu_perf rw, + + /var/log/Xorg.[0-9].log{,.old} r, + /etc/X11/xorg.conf.d/{,*.conf} r, + /usr/share/X11/xorg.conf.d/{,*.conf} r, + + /etc/modprobe.d/{,*.conf} r, + + @{sys}/class/drm/ r, + @{sys}/class/power_supply/ r, + + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/*/edid r, + @{sys}/devices/**/power_supply/*/uevent r, + + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/* r, + + @{PROC}/scsi/scsi r, + @{PROC}/ioports r, + @{PROC}/interrupts r, + @{PROC}/bus/input/devices r, + + + profile find { + #include + #include + + capability dac_read_search, + + /{usr/,}bin/find mr, + + /dev/{,**} r, + + } + + profile journalctl { + #include + + /{usr/,}bin/journalctl mr, + + /{var/,}run/log/ rw, + /{run,var}/log/journal/ rw, + /{run,var}/log/journal/[0-9a-f]*/ rw, + /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, + /{run,var}/log/journal/[0-9a-f]*/system.journal* rw, + /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, + + owner @{PROC}/@{pid}/stat r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + } + + profile systemd-analyze { + #include + + /{usr/,}bin/systemd-analyze mr, + + owner @{PROC}/@{pid}/stat r, + + } + + profile killall { + #include + + capability sys_ptrace, + + signal (send) set=(int, term, kill), + + ptrace (read), + + /{usr/,}bin/killall mr, + + # The /proc/ dir is needed to avoid the following error: + # /proc: Permission denied + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + + } + + profile udevadm { + #include + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + /{var/,}run/udev/data/* r, + + } + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + @{PROC}/cmdline r, + @{PROC}/modules r, + + @{sys}/module/*/ r, + @{sys}/module/*/{coresize,refcnt} r, + @{sys}/module/*/holders/ r, + + } + + profile netconfig { + #include + + # Not needed + deny capability net_admin, + deny capability net_raw, + + /{usr/,}sbin/iw mr, + /{usr/,}sbin/ifconfig mr, + /{usr/,}sbin/iwconfig mr, + /{usr/,}sbin/ethtool mr, + + owner @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/net/dev r, + + } + + #include if exists +} diff --git a/apparmor.d/hwinfo b/apparmor.d/hwinfo new file mode 100644 index 00000000..f992b95a --- /dev/null +++ b/apparmor.d/hwinfo @@ -0,0 +1,119 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/hwinfo +profile hwinfo @{exec_path} { + #include + #include + + # Without the sys_admin CAP, some information, for instance the reserved I/O port address range + # in the /proc/ioports, will be hidden. + capability sys_admin, + + # For the kernel log entries to be shown in the output + capability syslog, + + # To remove the following errors: + # eth0: socket failed: Operation not permitted + capability net_raw, + + # Needed when passed disk related options (--block, --partition, --floppy) + capability sys_rawio, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/udevadm rCx -> udevadm, + + /{usr/,}sbin/dmraid rPUx, + + @{PROC}/version r, + @{PROC}/cmdline r, + @{PROC}/dma r, + @{PROC}/interrupts r, + @{PROC}/modules r, + @{PROC}/tty/driver/serial r, + @{PROC}/ioports r, + @{PROC}/bus/input/devices r, + @{PROC}/partitions r, + @{PROC}/driver/nvram r, + @{PROC}/sys/dev/cdrom/info r, + + /dev/mem r, + /dev/nvram r, + /dev/psaux r, + /dev/console rw, + /dev/ttyS0 r, + /dev/ttyS1 r, + /dev/fb[0-9] r, + + @{sys}/bus/{,**/} r, + @{sys}/class/*/ r, + @{sys}/devices/pci[0-9]*/** r, + @{sys}/devices/**/input/**/dev r, + @{sys}/devices/**/{modalias,uevent} r, + @{sys}/devices/virtual/net/*/{type,carrier,address} r, + @{sys}/firmware/dmi/tables/DMI r, + @{sys}/firmware/dmi/tables/smbios_entry_point r, + @{sys}/firmware/edd/{,**} r, + + /var/lib/hardware/udi/ r, + + # For a log file + owner /tmp/hwinfo*.txt rw, + + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + /etc/modprobe.d/{,*.conf} r, + + @{PROC}/cmdline r, + + # file_inherit + /dev/ttyS0 r, + /dev/ttyS1 r, + owner /tmp/hwinfo*.txt rw, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r, + + } + + profile udevadm { + #include + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + + @{sys}/** r, + /{var/,}run/udev/data/* r, + + # file_inherit + owner /tmp/hwinfo*.txt rw, + + } + + #include if exists +} diff --git a/apparmor.d/i2cdetect b/apparmor.d/i2cdetect new file mode 100644 index 00000000..8f21883e --- /dev/null +++ b/apparmor.d/i2cdetect @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/i2cdetect +profile i2cdetect @{exec_path} { + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/i3lock b/apparmor.d/i3lock new file mode 100644 index 00000000..6e54160b --- /dev/null +++ b/apparmor.d/i3lock @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/i3lock +profile i3lock @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /usr/sbin/unix_chkpwd rPx, + + owner @{HOME}/.Xauthority r, + + # For background image. + owner @{HOME}/*.png r, + owner @{HOME}/*/*.png r, + + # When using also i3lock-fancy. + owner /tmp/tmp.*.png r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/i3lock-fancy b/apparmor.d/i3lock-fancy new file mode 100644 index 00000000..37e4c598 --- /dev/null +++ b/apparmor.d/i3lock-fancy @@ -0,0 +1,79 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/i3lock-fancy +profile i3lock-fancy @{exec_path} { + #include + #include + #include + #include + + @{exec_path} r, + + /{usr/,}bin/bash rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/fc-match rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/env rix, + + /{usr/,}bin/i3lock rPx, + /{usr/,}bin/xrandr rPx, + + /{usr/,}bin/convert-im6.q16 rCx -> imagemagic, + /{usr/,}bin/import-im6.q16 rCx -> imagemagic, + /{usr/,}bin/scrot rCx -> imagemagic, + + owner /tmp/tmp.*.png rw, + owner /tmp/tmp.* rw, + owner /tmp/sh-thd.* rw, + + /usr/share/i3lock-fancy/{,*} r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile imagemagic { + #include + #include + #include + + /{usr/,}bin/convert-im6.q16 mr, + /{usr/,}bin/import-im6.q16 mr, + /{usr/,}bin/scrot mr, + + /usr/share/ImageMagick-[0-9]/*.xml r, + /etc/ImageMagick-[0-9]/*.xml r, + + owner @{HOME}/.Xauthority r, + + /usr/share/i3lock-fancy/**.png r, + + # For gray scale (doesn't seem to be required). It produces files like /home/*/PIHFhJ . + deny owner @{HOME}/* rw, + + owner /tmp/tmp.*.png rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + } + + #include if exists +} diff --git a/apparmor.d/ifconfig b/apparmor.d/ifconfig new file mode 100644 index 00000000..00fa8a7f --- /dev/null +++ b/apparmor.d/ifconfig @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/ifconfig +profile ifconfig @{exec_path} { + #include + #include + + # To be able to manage network interfaces. + capability net_admin, + + # Needed? + audit deny capability sys_module, + + @{exec_path} mr, + + @{PROC}/net/dev r, + @{PROC}/net/if_inet6 r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/if_inet6 r, + + /etc/networks r, + + #include if exists +} diff --git a/apparmor.d/ifup b/apparmor.d/ifup new file mode 100644 index 00000000..4ec6da23 --- /dev/null +++ b/apparmor.d/ifup @@ -0,0 +1,89 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/{ifup,ifdown,ifquery} +profile ifup @{exec_path} { + #include + + # To be able to manage network interfaces. + capability net_admin, + + # Needed? + audit deny capability sys_module, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/sleep rix, + + /{usr/,}sbin/dhclient rPx, + /{usr/,}bin/macchanger rPx, + + /{usr/,}bin/run-parts rCx -> run-parts, + + /etc/network/interfaces r, + /etc/network/interfaces.d/{,*} r, + + /{var/,}run/network/ rw, + /{var/,}run/network/{.,}ifstate* rwk, + /{var/,}run/network/{ifup,ifdown}-*.pid rw, + + # For setting a USB modem + owner /dev/ttyUSB[0-9]* rw, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/network/if-down.d/ r, + /etc/network/if-down.d/openvpn rPUx, + /etc/network/if-down.d/wpasupplicant rPUx, + /etc/wpa_supplicant/ifupdown.sh rPUx, + + /etc/network/if-post-down.d/ r, + /etc/network/if-post-down.d/bridge rPUx, + /etc/network/if-post-down.d/hostapd rPUx, + /etc/hostapd/ifupdown.sh rPUx, + /etc/network/if-post-down.d/ifenslave rPUx, + /etc/network/if-post-down.d/macchanger rPUx, + /etc/macchanger/ifupdown.sh rPUx, + /etc/network/if-post-down.d/wireless-tools rPUx, + /etc/network/if-post-down.d/wpasupplicant rPUx, + + /etc/network/if-pre-up.d/ r, + /etc/network/if-pre-up.d/bridge rPUx, + /{usr/,}lib/bridge-utils/ifupdown.sh rPUx, + /etc/network/if-pre-up.d/ethtool rPUx, + /etc/network/if-pre-up.d/hostapd rPUx, + /etc/network/if-pre-up.d/ifenslave rPUx, + /etc/network/if-pre-up.d/macchanger rPUx, + /etc/network/if-pre-up.d/wireless-tools rPUx, + /etc/network/if-pre-up.d/wpasupplicant rPUx, + # For stable-privacy IPv6 addresses + /etc/network/if-pre-up.d/random-secret rPUx, + + /etc/network/if-up.d/ r, + /etc/network/if-up.d/ethtool rPUx, + /etc/network/if-up.d/ifenslave rPUx, + /etc/network/if-up.d/openvpn rPUx, + /etc/network/if-up.d/wpasupplicant rPUx, + + } + + #include if exists +} diff --git a/apparmor.d/initd-kexec b/apparmor.d/initd-kexec new file mode 100644 index 00000000..38e6fc37 --- /dev/null +++ b/apparmor.d/initd-kexec @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/init.d/kexec +profile initd-kexec @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/cat rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, + /{usr/,}bin/echo rix, + + /{usr/,}sbin/kexec rPx, + + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, + + /etc/default/kexec r, + + @{sys}/kernel/kexec_loaded r, + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/default/kexec.d/ r, + + } + + profile systemctl { + #include + + capability sys_resource, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /{usr/,}bin/systemd-tty-ask-password-agent rix, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + + /dev/kmsg w, + + owner /{var/,}run/systemd/ask-password/ rw, + owner /{var/,}run/systemd/ask-password-block/* rw, + + } + + #include if exists +} diff --git a/apparmor.d/initd-kexec-load b/apparmor.d/initd-kexec-load new file mode 100644 index 00000000..a9a4e419 --- /dev/null +++ b/apparmor.d/initd-kexec-load @@ -0,0 +1,87 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/init.d/kexec-load +profile initd-kexec-load @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/awk rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/head rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, + + /{usr/,}sbin/kexec rPx, + + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, + + /no-kexec-reboot rw, + + /etc/default/kexec r, + + @{sys}/kernel/kexec_loaded r, + + owner /boot/grub/{grub.cfg,grubenv} r, + + @{PROC}/cmdline r, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/default/kexec.d/ r, + + } + + profile systemctl { + #include + #include + + capability sys_resource, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /{usr/,}bin/systemd-tty-ask-password-agent rix, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + + /dev/kmsg w, + + owner /{var/,}run/systemd/ask-password/ rw, + owner /{var/,}run/systemd/ask-password-block/* rw, + + } + + #include if exists +} diff --git a/apparmor.d/initd-kmod b/apparmor.d/initd-kmod new file mode 100644 index 00000000..a4126249 --- /dev/null +++ b/apparmor.d/initd-kmod @@ -0,0 +1,67 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/init.d/kmod +profile initd-kmod @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, + /{usr/,}bin/id rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/{,e}grep rix, + + /{usr/,}bin/kmod rPx, + + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, + + /etc/modules-load.d/*.conf r, + /etc/modules r, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/modules-load.d/ r, + + } + + profile systemctl { + #include + + capability sys_resource, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /{usr/,}bin/systemd-tty-ask-password-agent rix, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/fd/ r, + + owner /{var/,}run/systemd/ask-password/ rw, + owner /{var/,}run/systemd/ask-password-block/* rw, + + } + + #include if exists +} diff --git a/apparmor.d/install-printerdriver b/apparmor.d/install-printerdriver new file mode 100644 index 00000000..fbbf0fdb --- /dev/null +++ b/apparmor.d/install-printerdriver @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/install-printerdriver +@{exec_path} += /usr/share/system-config-printer/install-printerdriver.py +profile install-printerdriver @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/dash r, + /{usr/,}bin/python3.[0-9]* r, + + /usr/share/system-config-printer/{,**} r, + + #include if exists +} diff --git a/apparmor.d/inxi b/apparmor.d/inxi new file mode 100644 index 00000000..dc6ac4f7 --- /dev/null +++ b/apparmor.d/inxi @@ -0,0 +1,162 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/inxi +profile inxi @{exec_path} { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/tty rix, + /{usr/,}bin/tput rix, + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}bin/getconf rix, + /{usr/,}bin/file rix, + + /{usr/,}bin/ip rCx -> ip, + /{usr/,}lib/systemd/systemd rCx -> systemd, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/udevadm rCx -> udevadm, + + /{usr/,}bin/systemctl rPx -> child-systemctl, + + /{usr/,}bin/dpkg-query rPx, + + /{usr/,}bin/compton rPx, + /{usr/,}bin/xrandr rPx, + /{usr/,}bin/glxinfo rPx, + /{usr/,}bin/lspci rPx, + /{usr/,}bin/lsusb rPx, + /{usr/,}bin/lsblk rPx, + /{usr/,}bin/sensors rPx, + /{usr/,}bin/uptime rPx, + /{usr/,}sbin/dmidecode rPx, + /{usr/,}bin/xdpyinfo rPx, + /{usr/,}bin/who rPx, + /{usr/,}bin/xprop rPx, + /{usr/,}bin/df rPx, + /{usr/,}sbin/blockdev rPx, + /{usr/,}bin/dig rPx, + /{usr/,}bin/ps rPx, + /{usr/,}bin/sudo rPx, + /{usr/,}bin/openbox rPx, + /{usr/,}bin/xset rPx, + /{usr/,}sbin/smartctl rPx, + /{usr/,}sbin/hddtemp rPx, + + /etc/ r, + /etc/inxi.conf r, + /etc/issue r, + /etc/magic r, + /etc/apt/sources.list r, + /etc/apt/sources.list.d/{,*.list} r, + + /var/log/ r, + /var/log/Xorg.[0-9]*.log r, + + /home/ r, + @{HOME}/.local/share/xorg/ r, + @{HOME}/.local/share/xorg/Xorg.[0-9]*.log r, + + /{var/,}run/ r, + + @{PROC}/asound/ r, + @{PROC}/asound/version r, + @{PROC}/sys/kernel/hostname r, + @{PROC}/swaps r, + @{PROC}/partitions r, + @{PROC}/scsi/scsi r, + @{PROC}/cmdline r, + @{PROC}/version r, + @{PROC}/sys/vm/swappiness r, + @{PROC}/sys/vm/vfs_cache_pressure r, + @{PROC}/sys/dev/cdrom/info r, + @{PROC}/1/comm r, + + /dev/ r, + /dev/mapper/ r, + /dev/disk/*/ r, + /dev/dm-[0-9]* r, + + @{sys}/class/power_supply/ r, + @{sys}/class/net/ r, + @{sys}/firmware/acpi/tables/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/{,**} r, + @{sys}/module/*/version r, + + + profile ip { + #include + + /{usr/,}bin/ip mr, + + @{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r, + + /etc/iproute2/group r, + + } + + profile systemd { + #include + + /{usr/,}lib/systemd/systemd mr, + + /etc/systemd/user.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/threads-max r, + @{PROC}/1/cgroup r, + + } + + profile udevadm { + #include + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + + @{sys}/devices/pci[0-9]*/**/block/**/uevent r, + /{var/,}run/udev/data/b* r, + + } + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + @{PROC}/cmdline r, + @{PROC}/modules r, + + } + + #include if exists +} diff --git a/apparmor.d/ioping b/apparmor.d/ioping new file mode 100644 index 00000000..c1baca1e --- /dev/null +++ b/apparmor.d/ioping @@ -0,0 +1,55 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ioping +profile ioping @{exec_path} { + #include + #include + + # For pinging other users files as root. + capability dac_read_search, + capability dac_override, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mountinfo r, + + # The RW set on dirs means that the dirs can be pinged, which is safe write operation. In the + # case of files, this write operation can damage files, so we allow only to read the files. When + # pinging dirs, a file similar to "#1573619" is created in that dir, so it's allowed as well. + / rw, + /#[0-9]*[0-9] rw, + /**/ rw, + /**/#[0-9]*[0-9] rw, + + # Allow pinging files, but without write operation. Like in the case of dirs, when pinging dirs + # there's also created the file similar to "#1573619" . + /usr/** r, + /lib/** r, + /bin/* r, + /sbin/* r, + /etc/** r, + /boot/** r, + /opt/** r, + /var/** r, + /media/** r, + /tmp/** r, + /home/** r, + + # This was created when ioping was used on an external SD card. + /**/ioping.tmp.* w, + + #include if exists +} diff --git a/apparmor.d/iotop b/apparmor.d/iotop new file mode 100644 index 00000000..921aa07c --- /dev/null +++ b/apparmor.d/iotop @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/iotop +profile iotop @{exec_path} { + #include + #include + #include + + capability net_admin, + + # To set processes' priorities + capability sys_nice, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/file rix, + + /{usr/,}sbin/ r, + + @{PROC}/ r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/task/ r, + @{PROC}/sys/kernel/pid_max r, + + # For file + /etc/magic r, + + #include if exists +} diff --git a/apparmor.d/ip b/apparmor.d/ip new file mode 100644 index 00000000..5629647a --- /dev/null +++ b/apparmor.d/ip @@ -0,0 +1,54 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# When "ip netns" is issued, the following error will be printed: +# "Failed name lookup - disconnected path" error=-13 profile="ip" name="". +@{exec_path} = /{usr/,}bin/ip +profile ip @{exec_path} flags=(attach_disconnected) { + #include + + # To be able to manage network interfaces. + capability net_admin, + + #capability sys_admin, + + # Needed? + audit deny capability sys_module, + + @{exec_path} mrix, + + mount options=(rw, rshared) -> /{var/,}run/netns/, + mount options=(rw, rslave) -> /, + mount options=(rw, bind) / -> /{var/,}run/netns/*, + mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf, + mount fstype=sysfs -> /sys/, + + umount /{var/,}run/netns/*, + umount /sys/, + + /etc/iproute2/{,**} r, + + / r, + owner /{var/,}run/netns/ rw, + /{var/,}run/netns/* rw, + /etc/netns/*/ r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/net/dev_mcast r, + owner @{PROC}/@{pid}/net/igmp{,6} r, + owner @{PROC}/sys/net/ipv{4,6}/route/flush w, + + #include if exists +} diff --git a/apparmor.d/ipcalc b/apparmor.d/ipcalc new file mode 100644 index 00000000..529d3b49 --- /dev/null +++ b/apparmor.d/ipcalc @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ipcalc +profile ipcalc @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + #include if exists +} diff --git a/apparmor.d/iw b/apparmor.d/iw new file mode 100644 index 00000000..c171ccb4 --- /dev/null +++ b/apparmor.d/iw @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/iw +profile iw @{exec_path} { + #include + + # To be able to manage network interfaces. + capability net_admin, + + # Needed? + audit deny capability sys_module, + + @{exec_path} mr, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/iwconfig b/apparmor.d/iwconfig new file mode 100644 index 00000000..2afb5627 --- /dev/null +++ b/apparmor.d/iwconfig @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/iwconfig +profile iwconfig @{exec_path} { + #include + + # To be able to manage network interfaces. + capability net_admin, + + # Needed? + audit deny capability sys_module, + + @{exec_path} mr, + + @{PROC}/net/wireless r, + owner @{PROC}/@{pid}/net/wireless r, + owner @{PROC}/@{pid}/net/dev r, + + #include if exists +} diff --git a/apparmor.d/iwlist b/apparmor.d/iwlist new file mode 100644 index 00000000..0b847465 --- /dev/null +++ b/apparmor.d/iwlist @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/iwlist +profile iwlist @{exec_path} { + #include + + # To be able to manage network interfaces. + capability net_admin, + + @{exec_path} mr, + + @{PROC}/net/wireless r, + owner @{PROC}/@{pid}/net/dev r, + + #include if exists +} diff --git a/apparmor.d/jdownloader b/apparmor.d/jdownloader new file mode 100644 index 00000000..e2d88546 --- /dev/null +++ b/apparmor.d/jdownloader @@ -0,0 +1,124 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{JD_INSTALLDIR} = /home/*/jd2 + +@{exec_path} = @{JD_INSTALLDIR}/*JDownloader* +profile jdownloader @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} rix, + + /{usr/,}bin/basename rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/find rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/chmod rix, + + /{usr/,}bin/ffmpeg rPx, + + # These are needed when the above tools are in some nonstandard locations + #/{usr/,}bin/which rix, + #/usr/ r, + #/usr/local/ r, + #/{usr/,}bin/ r, + #/{usr/,}lib/ r, + + deny /opt/ r, + + owner @{HOME}/ r, + owner @{JD_INSTALLDIR}/ rw, + owner @{JD_INSTALLDIR}/** rwk, + owner @{JD_INSTALLDIR}/jre/bin/java rix, + owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw, + owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw, + owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw, + owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw, + owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, + + owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw, + owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, + owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw, + owner @{HOME}/.java/fonts/[0-9]*/ rw, + owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw, + owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw, + + owner @{HOME}/.install4j rw, + + owner /tmp/hsperfdata_*/ rw, + owner /tmp/hsperfdata_*/@{pid} rw, + # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead + owner /tmp/SevenZipJBinding-*/ rw, + owner /tmp/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, + # For auto updates + owner /tmp/lastChanceSrc[0-9]*lch rw, + owner /tmp/lastChanceDst[0-9]*.jar rw, + owner /tmp/i4j_log_jd2_[0-9]*.log rw, + owner /tmp/install4jError[0-9]*.log rw, + + owner @{HOME}/.Xauthority r, + + # What's this for? + deny owner @{HOME}/.mozilla/firefox/ r, + deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r, + + owner @{PROC}/@{pid}/fd/ r, + deny @{PROC}/@{pid}/net/ipv6_route r, + deny @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/asound/version r, + + # For Reconnect -> Share Settings/Get Route + #/{usr/,}bin/netstat rix, + #/{usr/,}sbin/route rix, + #/{usr/,}bin/ping rix, + #/{usr/,}bin/ip rix, + #@{PROC}/@{pid}/net/route r, + + # To open a web browser for CAPTCHA + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/jdownloader-install b/apparmor.d/jdownloader-install new file mode 100644 index 00000000..d85963a3 --- /dev/null +++ b/apparmor.d/jdownloader-install @@ -0,0 +1,112 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{JD_INSTALLDIR} = /home/*/jd2 +@{JD_SH_PATH} = /home/*/[dD]ownload{,s} +@{JD_SH_PATH} += /home/*/[dD]esktop + +@{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh +profile jdownloader-install @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + + /{usr/,}bin/basename rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/which rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/df rix, + /{usr/,}bin/nohup rix, + + /{usr/,}bin/dash rix, + + # Check for old JD installations + deny /opt/ r, + + owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/ rw, + owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/** rwk, + owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/bin/unpack200 rix, + owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/bin/java rix, + owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/jli/libjli.so mrw, + owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/server/libjvm.so mrw, + owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/*.so mrw, + owner @{JD_SH_PATH}/install4jError[0-9]*.log rw, + + owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw, + owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, + owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw, + owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw, + owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.tmp rw, + owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw, + + owner @{HOME}/.install4j rw, + + # While creating the desktop icon + owner @{HOME}/.local/share/applications/i4j[0-9]*.tmp rw, + owner @{HOME}/.local/share/applications/JDownloader*.desktop rw, + + /tmp/ r, + owner /tmp/_jdinstall/ rw, + owner /tmp/JD2Setup_{x86,x64}.sh.[0-9]*.dir/ rw, + owner /tmp/JD2Setup_{x86,x64}.sh.[0-9]*.dir/sfx_archive.tar.gz rw, + owner /tmp/hsperfdata_*/ rw, + owner /tmp/hsperfdata_*/@{pid} rw, + owner /tmp/appwork[0-9]*[0-9] rw, + owner /tmp/i4j*.log rw, + owner /tmp/i4j*.sh rw, + owner /tmp/i4*.tmp rw, + owner /tmp/imageio[0-9]*.tmp rw, + owner /tmp/install4jError[0-9]*.log rw, + + owner @{HOME}/.Xauthority r, + + owner @{PROC}/@{pid}/fd/ r, + deny @{PROC}/@{pid}/net/ipv6_route r, + deny @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + # What's this for? + deny owner @{HOME}/.mozilla/firefox/ r, + deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r, + + # Needed when installing JD + / r, + /home/ r, + owner @{HOME}/ r, + owner @{JD_INSTALLDIR}/ rw, + owner @{JD_INSTALLDIR}/** rw, + deny owner @{JD_INSTALLDIR}/jre/bin/java rx, + deny owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so m, + deny owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so m, + deny owner @{JD_INSTALLDIR}/jre/lib/*/*.so m, + deny owner @{JD_INSTALLDIR}/JDownloader2 rx, + + #include if exists +} diff --git a/apparmor.d/jekyll b/apparmor.d/jekyll new file mode 100644 index 00000000..ce212606 --- /dev/null +++ b/apparmor.d/jekyll @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +@{JEKYLL_DIR}=@{HOME}/morfikov.github.io + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/jekyll +profile jekyll @{exec_path} { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/ruby2.[0-9]* r, + + /usr/share/rubygems-integration/** r, + + /usr/share/ruby-addressable/unicode.data r, + + # Jekyll dir + owner @{JEKYLL_DIR}/{,**} r, + owner @{JEKYLL_DIR}/_site/{,**} rw, + owner @{JEKYLL_DIR}/.sass-cache/** rw, + + @{PROC}/version r, + + #include if exists +} diff --git a/apparmor.d/jgmenu b/apparmor.d/jgmenu new file mode 100644 index 00000000..458e59ce --- /dev/null +++ b/apparmor.d/jgmenu @@ -0,0 +1,65 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/jgmenu{,_run} +profile jgmenu @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/find rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/cat rix, + + /{usr/,}lib/jgmenu/jgmenu-* rix, + + owner @{HOME}/.jgmenu-lockfile rwk, + + owner @{HOME}/.config/tint2/tint2rc r, + + owner @{HOME}/.config/jgmenu/ rw, + owner @{HOME}/.config/jgmenu/** rw, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/jgmenu/ rw, + owner @{HOME}/.cache/jgmenu/** rw, + + owner @{HOME}/.Xauthority r, + + owner @{PROC}/@{pid}/loginuid r, + + # For zsh shell + /etc/zsh/zshenv r, + + # For missing apps icon and desktop files + /usr/share/**.png r, + /usr/share/**.desktop r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/kanyremote b/apparmor.d/kanyremote new file mode 100644 index 00000000..14eb2340 --- /dev/null +++ b/apparmor.d/kanyremote @@ -0,0 +1,125 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/kanyremote +profile kanyremote @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/head rix, + /{usr/,}bin/find rix, + + /{usr/,}bin/anyremote rPx, + /{usr/,}bin/ps rPx, + + /{usr/,}bin/killall rCx -> killall, + /{usr/,}bin/pgrep rCx -> pgrep, + + /{usr/,}bin/pacmd rPUx, + /{usr/,}bin/pactl rPUx, + + # Players + /{usr/,}bin/smplayer rPUx, + /{usr/,}bin/amarok rPUx, + /{usr/,}bin/vlc rPUx, + /{usr/,}bin/mpv rPUx, + /{usr/,}bin/strawberry rPUx, + + owner @{HOME}/ r, + owner @{HOME}/.anyRemote/{,*} rw, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/anyremote/{,**} r, + + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/sys/kernel/random/boot_id r, + + /dev/shm/#[0-9]*[0-9] rw, + + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Doc dirs + deny /usr/local/share/ r, + deny /usr/share/ r, + deny /usr/share/doc/ r, + /usr/share/doc/anyremote{,-data}/ r, + + + profile killall { + #include + #include + + capability sys_ptrace, + + signal (send) set=(int, term, kill), + + ptrace (read), + + /{usr/,}bin/killall mr, + + # The /proc/ dir is needed to avoid the following error: + # /proc: Permission denied + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + + } + + profile pgrep { + #include + #include + + /{usr/,}bin/pgrep mr, + + # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + deny @{PROC}/sys/kernel/osrelease r, + + /usr/share/anyremote/{,**} r, + + } + + #include if exists +} diff --git a/apparmor.d/kcheckpass b/apparmor.d/kcheckpass new file mode 100644 index 00000000..e3acc174 --- /dev/null +++ b/apparmor.d/kcheckpass @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass +profile kcheckpass @{exec_path} { + #include + #include + #include + #include + + signal (receive) peer=kscreenlocker-greet, + + @{exec_path} mr, + + /{usr/,}sbin/unix_chkpwd rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc new file mode 100644 index 00000000..30d6acba --- /dev/null +++ b/apparmor.d/keepassxc @@ -0,0 +1,139 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{KP_DB} = @{HOME}/keepass-baza + +@{exec_path} = /{usr/,}bin/keepassxc +profile keepassxc @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mrix, + + /usr/share/keepassxc/{,**} r, + + owner @{HOME}/.config/keepassxc/ rw, + owner @{HOME}/.config/keepassxc/* rwkl -> @{HOME}/.config/keepassxc/#[0-9]*[0-9], + + owner @{HOME}/.cache/keepassxc/ rw, + owner @{HOME}/.cache/keepassxc/* rwkl -> @{HOME}/.cache/keepassxc/#[0-9]*[0-9], + + # Database location + / r, + /home/ r, + owner @{HOME}/ r, + owner @{KP_DB}/ r, + owner @{KP_DB}/#[0-9]*[0-9] rw, + owner @{KP_DB}/*.kdbx* rwl -> @{KP_DB}/#[0-9]*[0-9], + #For export to a CSV file + owner @{KP_DB}/*.csv rw, + + # For SSH keys + owner @{HOME}/.ssh/ r, + owner @{HOME}/.ssh/*_rsa r, + owner @{HOME}/.ssh/*_ed25519 r, + owner @{HOME}/.ssh/*.pub r, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner /tmp/keepassxc-*.lock{,.rmlock} rwk, + owner /tmp/keepassxc-*.socket rw, + # When $USER is not set + owner /tmp/keepassxc.lock rw, + owner /tmp/keepassxc.socket rw, + + owner /tmp/.[a-zA-Z]*/{,s} rw, + + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/*.*.gpgkey rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/*.*.settings rwl -> /tmp/#[0-9]*[0-9], + + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pids}/comm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/class/ r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,speed,descriptors} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + /{var/,}run/udev/data/+usb:* r, # + + /dev/bus/usb/ r, + /dev/shm/#[0-9]*[0-9] rw, + + # For browser integration + owner @{HOME}/.config/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, + owner @{HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, + owner @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, + owner /{var/,}run/user/[0-9]*/.[a-zA-Z]*/{,s} rw, + owner /{var/,}run/user/[0-9]*/kpxc_server rw, + + owner /{var/,}run/user/[0-9]*/org.keepassxc.KeePassXC.BrowserServer w, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + /{usr/,}bin/xdg-open rCx -> open, + + # file_inherit + owner /dev/tty[0-9]* rw, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}bin/geany rPUx, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}bin/geany rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/keepassxc-cli b/apparmor.d/keepassxc-cli new file mode 100644 index 00000000..8ec49ddd --- /dev/null +++ b/apparmor.d/keepassxc-cli @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/keepassxc-cli +profile keepassxc-cli @{exec_path} { + #include + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/keepassxc-proxy b/apparmor.d/keepassxc-proxy new file mode 100644 index 00000000..0e0e816a --- /dev/null +++ b/apparmor.d/keepassxc-proxy @@ -0,0 +1,44 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/keepassxc-proxy +profile keepassxc-proxy @{exec_path} { + #include + #include + #include + + signal (receive) set=(term, kill), + + @{exec_path} mr, + + # file_inherit + deny owner /{var/,}run/user/[0-9]*/.[a-zA-Z]*/{,s} rw, + deny owner /{var/,}run/user/[0-9]*/kpxc_server rw, + deny /dev/shm/org.chromium.* rw, + deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, + # + deny owner @{HOME}/.mozilla/** rw, + deny owner @{HOME}/.cache/mozilla/** rw, + deny owner /media/*/.mozilla/** rw, + deny owner /tmp/firefox*/.parentlock rw, + deny owner /tmp/tmp-*.xpi rw, + deny owner /tmp/tmpaddon r, + deny owner @{HOME}/.config/google-chrome/** rw, + deny owner @{HOME}/.config/chromium/** rw, + # + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/kernel-install b/apparmor.d/kernel-install new file mode 100644 index 00000000..5dea937d --- /dev/null +++ b/apparmor.d/kernel-install @@ -0,0 +1,78 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/kernel-install +profile kernel-install @{exec_path} flags=(complain) { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + + /{usr/,}bin/dash r, + + /{usr/,}bin/mountpoint rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/basename rix, + + /{usr/,}bin/kmod rCx -> kmod, + + /{usr/,}lib/kernel/install.d/ r, + /{usr/,}lib/kernel/install.d/[0-9][0-9]-*.install rix, + + /etc/kernel/install.d/ r, + /etc/kernel/install.d/*.install rix, + + owner /tmp/sh-thd.* rw, + + owner /boot/{vmlinuz,initrd.img}-* r, + owner /boot/[a-f0-9]*/*/ rw, + owner /boot/[a-f0-9]*/*/{linux,initrd} w, + owner /boot/loader/ rw, + owner /boot/loader/entries/ rw, + owner /boot/loader/entries/*.conf w, + + /{usr/,}lib/modules/*/modules.* w, + + /etc/os-release r, + /{usr/,}lib/os-release r, + + /etc/kernel/tries r, + + /etc/kernel/cmdline r, + @{PROC}/cmdline r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + + profile kmod flags=(complain) { + #include + + /{usr/,}bin/kmod mr, + + #@{PROC}/cmdline r, + #@{PROC}/modules r, + + } + + #include if exists +} diff --git a/apparmor.d/kerneloops b/apparmor.d/kerneloops new file mode 100644 index 00000000..e27aa18e --- /dev/null +++ b/apparmor.d/kerneloops @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/kerneloops +profile kerneloops @{exec_path} { + #include + #include + + capability syslog, + + @{exec_path} mr, + + # Config file + /etc/kerneloops.conf r, + + # File to scan for kernel OOPSes + /var/log/kern.log r, + + # When found a kernel OOPS make a tmp file and fill it with the OOPS message + /tmp/kerneloops.* rw, + + #include if exists +} diff --git a/apparmor.d/kerneloops-applet b/apparmor.d/kerneloops-applet new file mode 100644 index 00000000..b6dc61a2 --- /dev/null +++ b/apparmor.d/kerneloops-applet @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/kerneloops-applet +profile kerneloops-applet @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /usr/share/kerneloops/{,**} r, + + owner @{HOME}/.kerneloops rw, + + owner @{HOME}/.Xauthority r, + owner /tmp/xauth-[0-9]*-_[0-9] r, + + # When found a kernel OOPS make a tmp file and fill it with the OOPS message + /tmp/kerneloops.* rw, + + # Fonts + /usr/share/poppler/cMap/Adobe-Japan2/ r, + + #include if exists +} diff --git a/apparmor.d/kexec b/apparmor.d/kexec new file mode 100644 index 00000000..01c19b26 --- /dev/null +++ b/apparmor.d/kexec @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/kexec +profile kexec @{exec_path} flags=(complain) { + #include + + capability sys_boot, + + @{exec_path} mr, + + owner /boot/{initrd.img,vmlinuz}-* r, + + @{sys}/firmware/memmap/ r, + @{sys}/firmware/memmap/[0-9]*/{start,end,type} r, + @{sys}/kernel/boot_params/data r, + + @{PROC}/cmdline r, + owner @{PROC}/@{pid}/mounts r, + + /dev/fb[0-9] r, + + #include if exists +} diff --git a/apparmor.d/kmod b/apparmor.d/kmod new file mode 100644 index 00000000..e8111378 --- /dev/null +++ b/apparmor.d/kmod @@ -0,0 +1,64 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/{kmod,lsmod} +@{exec_path} += /{usr/,}sbin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe} +profile kmod @{exec_path} { + #include + #include + + # To load/unload kernel modules + # modprobe: ERROR: could not insert '*': Operation not permitted + # + # modprobe: ERROR: ../libkmod/libkmod-module.c:799 kmod_module_remove_module() could not remove + # '*': Operation not permitted + capability sys_module, + + # For error logs to go through the syslog mechanism (as LOG_DAEMON with level LOG_NOTICE) rather + # than to standard error. + capability syslog, + + @{exec_path} mr, + + /{usr/,}lib/modprobe.d/{,*.conf} r, + /etc/modprobe.d/{,*.conf} r, + + /{usr/,}lib/modules/*/modules.* rw, + + /var/lib/dkms/**/module/*.ko r, + /usr/src/*/*.ko r, + + @{sys}/module/{,**} r, + + @{PROC}/cmdline r, + @{PROC}/modules r, + + # Needed for static-nodes + #capability dac_override, + #owner @{PROC}/@{pid}/fd/1 w, + + # For local kernel build + owner /tmp/depmod.*/lib/modules/*/ r, + owner /tmp/depmod.*/lib/modules/*/modules.* rw, + owner @{BUILD_DIR}/**/System.map r, + owner @{BUILD_DIR}/**/debian/*/lib/modules/*/ r, + owner @{BUILD_DIR}/**/debian/*/lib/modules/*/modules.* rw, + owner @{BUILD_DIR}/**/debian/*/lib/modules/*/kernel/{,**/} r, + owner @{BUILD_DIR}/**/debian/*/lib/modules/*/kernel/**/*.ko r, + + #include if exists +} diff --git a/apparmor.d/kodi b/apparmor.d/kodi new file mode 100644 index 00000000..66e8a19c --- /dev/null +++ b/apparmor.d/kodi @@ -0,0 +1,111 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/kodi /{usr/,}lib/@{multiarch}/kodi/kodi.bin +profile kodi @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/kodi/kodi.bin mrix, + /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/find rix, + /{usr/,}bin/date rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/dirname rix, + /{usr/,}sbin/ldconfig rix, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/df rCx -> df, + + /usr/share/kodi/{,**} r, + + owner @{HOME}/.kodi/ rw, + owner @{HOME}/.kodi/** rwk, + + owner @{HOME}/core w, + owner @{HOME}/kodi_crashlog-[0-9]*_[0-9]*.log w, + + owner @{HOME}/.icons/default/index.theme r, + + /usr/share/publicsuffix/* r, + + /usr/share/icons/*/index.theme r, + /etc/mime.types r, + + # Media lib + / r, + /media/ r, + /media/{Kabi,Zami}/ r, + /media/Kabi/mp3/{,**} r, + /media/Zami/{Film,Serial}/{,**} r, + + /etc/timezone r, + /etc/fstab r, + + /etc/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/[0-9][0-9]_*.json r, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/@{pid}/net/route r, + + @{sys}/**/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{bDeviceClass,idProduct,idVendor} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{bDeviceClass,idProduct,idVendor} r, + @{sys}/devices/system/node/node0/meminfo r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r, + + /{var/,}run/udev/data/* r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + profile df { + #include + + /{usr/,}bin/df mr, + + owner @{PROC}/@{pid}/mountinfo r, + + # file_inherit + /usr/share/kodi/** r, + /sys/devices/virtual/thermal/thermal_zone[0-9]*/temp r, + /sys/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, + /home/morfik/.kodi/temp/kodi.log w, + + } + + #include if exists +} diff --git a/apparmor.d/kodi-xrandr b/apparmor.d/kodi-xrandr new file mode 100644 index 00000000..5f817b21 --- /dev/null +++ b/apparmor.d/kodi-xrandr @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr +profile kodi-xrandr @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + # file_inherit + @{sys}/devices/virtual/thermal/thermal_zone0/temp r, + @{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r, + owner @{HOME}/.kodi/temp/kodi.log w, + + #include if exists +} diff --git a/apparmor.d/kscreenlocker-greet b/apparmor.d/kscreenlocker-greet new file mode 100644 index 00000000..41994693 --- /dev/null +++ b/apparmor.d/kscreenlocker-greet @@ -0,0 +1,83 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kscreenlocker_greet +profile kscreenlocker-greet @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) peer=kcheckpass, + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/libexec/kcheckpass rPx, + + /usr/share/plasma/** r, + /usr/share/wallpapers/Path/contents/images/*.{jpg,png} r, + + # List of graphical sessions + /usr/share/xsessions/{,*.desktop} r, + /usr/share/wayland-sessions/{,*.desktop} r, + + owner @{HOME}/.Xauthority r, + + owner @{HOME}/.config/kdeglobals r, + owner @{HOME}/.config/kscreenlockerrc r, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/qtshadercache/ rw, + owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + + owner @{HOME}/.cache/plasma-svgelements-default_v* r, + + # If one is blocked, the others are probed. + deny owner @{HOME}/#[0-9]*[0-9] mrw, + owner @{HOME}/.glvnd* mrw, + # owner /tmp/#[0-9]*[0-9] mrw, + # owner /tmp/.glvnd* mrw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/core_pattern r, + + /etc/fstab r, + + /usr/share/hwdata/pnp.ids r, + + # Audio player covers + owner /tmp/*-cover-*.{jpg,png} r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/kvm-ok b/apparmor.d/kvm-ok new file mode 100644 index 00000000..967b474e --- /dev/null +++ b/apparmor.d/kvm-ok @@ -0,0 +1,51 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/kvm-ok +profile kvm-ok @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/id rix, + + /{usr/,}bin/kmod rCx -> kmod, + + /{usr/,}sbin/rdmsr rPx, + + #/proc/cpuinfo r, + #/dev/kvm r, + #/dev/cpu/[0-9]*/msr r, + + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + /usr/lib/modprobe.d/ r, + /usr/lib/modprobe.d/*.conf r, + + @{PROC}/cmdline r, + + } + + #include if exists +} diff --git a/apparmor.d/kwalletd5 b/apparmor.d/kwalletd5 new file mode 100644 index 00000000..8d9024e3 --- /dev/null +++ b/apparmor.d/kwalletd5 @@ -0,0 +1,86 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/kwalletd5 +profile kwalletd5 @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + + owner @{HOME}/.config/kwalletrc r, + + owner @{HOME}/.config/kdeglobals r, + owner @{HOME}/.cache/icon-cache.kcache rw, + + owner @{HOME}/.local/share/kwalletd/ rw, + owner @{HOME}/.local/share/kwalletd/#[0-9]*[0-9] rw, + owner @{HOME}/.local/share/kwalletd/*.salt rw, + owner @{HOME}/.local/share/kwalletd/*.kwl rw, + owner @{HOME}/.local/share/kwalletd/*.kwl.* rwl -> @{HOME}/.local/share/kwalletd/#[0-9]*[0-9], + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /dev/shm/#[0-9]*[0-9] rw, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/core_pattern r, + + owner /tmp/kwalletd5.* rw, + + /usr/share/hwdata/pnp.ids r, + + # For GPG encrypted wallets + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + + + profile gpg { + #include + + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgsm mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + } + + #include if exists +} + diff --git a/apparmor.d/kwalletmanager5 b/apparmor.d/kwalletmanager5 new file mode 100644 index 00000000..bc3c1e9a --- /dev/null +++ b/apparmor.d/kwalletmanager5 @@ -0,0 +1,82 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/kwalletmanager5 +profile kwalletmanager5 @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/FrameworkIntegrationPlugin.so mr, + /{usr/,}lib/@{multiarch}/qt5/plugins/phonon_platform/kde.so mr, + /{usr/,}lib/@{multiarch}/qt5/plugins/phonon4qt5_backend/phonon_vlc.so mr, + + /usr/share/kxmlgui5/kwalletmanager5/kwalletmanager.rc r, + + owner @{HOME}/.config/#[0-9]*[0-9] rw, + owner @{HOME}/.config/kwalletrc rw, + owner @{HOME}/.config/kwalletrc.lock rwk, + owner @{HOME}/.config/kwalletrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + owner @{HOME}/.config/kwalletmanager5rc rw, + owner @{HOME}/.config/kwalletmanager5rc.lock rwk, + owner @{HOME}/.config/kwalletmanager5rc.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + owner @{HOME}/.config/session/#[0-9]*[0-9] rw, + owner @{HOME}/.config/session/kwalletmanager5_* rwl -> @{HOME}/.config/session/#[0-9]*[0-9], + owner @{HOME}/.config/session/kwalletmanager5_*.lock rwk, + + owner @{HOME}/.config/kdeglobals r, + owner @{HOME}/.cache/icon-cache.kcache rw, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/core_pattern r, + deny @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /etc/xdg/ui/ui_standards.rc r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + /dev/shm/ r, + /dev/shm/#[0-9]*[0-9] rw, + + owner /tmp/xauth-[0-9]*-_[0-9] r, + + #include if exists +} diff --git a/apparmor.d/libvirt/TEMPLATE.lxc b/apparmor.d/libvirt/TEMPLATE.lxc new file mode 100644 index 00000000..f1005dc5 --- /dev/null +++ b/apparmor.d/libvirt/TEMPLATE.lxc @@ -0,0 +1,15 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include + +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + #include + + # Globally allows everything to run under this profile + # These can be narrowed depending on the container's use. + file, + capability, + network, +} diff --git a/apparmor.d/libvirt/TEMPLATE.qemu b/apparmor.d/libvirt/TEMPLATE.qemu new file mode 100644 index 00000000..a327315d --- /dev/null +++ b/apparmor.d/libvirt/TEMPLATE.qemu @@ -0,0 +1,9 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include + +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + #include +} diff --git a/apparmor.d/light b/apparmor.d/light new file mode 100644 index 00000000..1da36f74 --- /dev/null +++ b/apparmor.d/light @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/light +profile light @{exec_path} { + #include + #include + + @{exec_path} mr, + + # When started as root + /etc/light/ rw, + /etc/light/**/ rw, + /etc/light/targets/sysfs/backlight/auto/save rw, + + owner @{HOME}/.config/light/ rw, + owner @{HOME}/.config/light/** rw, + + @{sys}/class/backlight/ r, + @{sys}/class/leds/ r, + + @{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/{,max_}brightness r, + @{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/brightness rw, + + @{sys}/devices/pci[0-9]*/**/backlight/*/{,max_}brightness r, + @{sys}/devices/pci[0-9]*/**/backlight/*/brightness rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/light-locker b/apparmor.d/light-locker new file mode 100644 index 00000000..08bf6076 --- /dev/null +++ b/apparmor.d/light-locker @@ -0,0 +1,56 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/light-locker +profile light-locker @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + + # when locking the screen and switching/closing sessions + /{,var/}run/systemd/sessions/[0-9]* r, + + # To silecne the following error: + # dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. + # dconf will not work properly. + ##include + #owner /{var/,}run/user/[0-9]*/dconf/ w, + #owner /{var/,}run/user/[0-9]*/dconf/user rw, + #include + + @{sys}/devices/pci[0-9]*/**/uevent r, + @{sys}/devices/pci[0-9]*/**/vendor r, + @{sys}/devices/pci[0-9]*/**/device r, + @{sys}/devices/pci[0-9]*/**/subsystem_vendor r, + @{sys}/devices/pci[0-9]*/**/subsystem_device r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/light-locker-command b/apparmor.d/light-locker-command new file mode 100644 index 00000000..3470393a --- /dev/null +++ b/apparmor.d/light-locker-command @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/light-locker-command +profile light-locker-command @{exec_path} { + #include + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/lightdm b/apparmor.d/lightdm new file mode 100644 index 00000000..cf1f800e --- /dev/null +++ b/apparmor.d/lightdm @@ -0,0 +1,130 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/lightdm +profile lightdm @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + # To remove the following errors: + # lightdm[]: Could not chown user data directory /var/lib/lightdm/data/lightdm: Error setting + # owner: Operation not permitted + capability chown, + capability fowner, + capability fsetid, + + # To remove the following errors: + # write(2, "Failed to initialize supplementary groups for lightdm: + # Operation not permitted\n", 79) = 79 + capability setgid, + + # To remove the following errors: + # write(1, "Bail out! ERROR:privileges.c:30:privileges_drop: assertion failed: + # (setresuid (uid, uid, -1) == 0)\n", 99) = 99 + capability setuid, + + # To remove the following errors: + # lightdm[]: Could not enumerate user data directory /var/lib/lightdm/data: Error opening + # directory '/var/lib/lightdm/data': Permission denied + capability dac_read_search, + + # To remove the following errors: + # Error using VT_ACTIVATE 7 on /dev/tty0: Operation not permitted + capability sys_tty_config, + + # To be able to kill the X-server + capability kill, + + # To remove the following errors: + # pam_limits(su-l:session): Could not set limit for 'nofile' to soft=1024, hard=1048576: + # Operation not permitted; uid=1000,euid=0 + # pam_limits(su-l:session): Could not set limit for 'memlock' to soft=1017930240, + # hard=1017930240: Operation not permitted; uid=1000,euid=0 + capability sys_resource, + + # Needed? + capability audit_write, + deny capability sys_nice, + deny capability net_admin, + + signal (send) set=(term, kill, usr1), + signal (receive) set=(usr1) peer=xorg, + + @{exec_path} mrix, + + /{usr/,}bin/plymouth mrix, + + /{usr/,}bin/Xorg rPx, + /{usr/,}sbin/lightdm-gtk-greeter rPx, + /{usr/,}bin/startx rPx, + + /etc/X11/Xsession rPUx, + /{usr/,}bin/gnome-keyring-daemon rPUx, + + /{usr/,}bin/rm rix, + + # LightDM files + /usr/share/lightdm/{,**} r, + /usr/share/xgreeters/{,**} r, + /var/lib/lightdm/{,**} rw, + + # List of graphical sessions + # The X sessions are covered by abstractions/X + /usr/share/wayland-sessions/{,*.desktop} r, + + /tmp/.X[0-9]*-lock r, + + # LightDM config files + /etc/lightdm/{,**} r, + + # LightDM logs + /var/log/lightdm/{,**} rw, + /var/log/btmp wk, + + /{,var/}run/lightdm/{,**} rw, + /{,var/}run/lightdm.pid rw, + + @{PROC}/1/limits r, + /etc/security/limits.d/ r, + + owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + + /etc/environment r, + /etc/default/locale r, + + /dev/tty[0-9]* r, + + # Xsession logs + owner @{HOME}/.xsession-errors{,.old} rw, + + owner @{HOME}/.Xauthority rw, + + owner @{HOME}/.dmrc* rw, + /var/cache/lightdm/dmrc/*.dmrc* rw, + + /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx, + /usr/libexec/at-spi-bus-launcher rPUx, + + #include if exists +} diff --git a/apparmor.d/lightdm-gtk-greeter b/apparmor.d/lightdm-gtk-greeter new file mode 100644 index 00000000..2390c9cb --- /dev/null +++ b/apparmor.d/lightdm-gtk-greeter @@ -0,0 +1,85 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/lightdm-gtk-greeter +profile lightdm-gtk-greeter @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=lightdm, + + @{exec_path} mr, + + /{usr/,}bin/locale rix, + + /{usr/,}lib/systemd/systemd rCx -> systemd, + + # LightDM files + /usr/share/lightdm/{,**} r, + /var/lib/lightdm/{,**} rw, + + # List of graphical sessions + # The X sessions are covered by abstractions/X + /usr/share/wayland-sessions/{,*.desktop} r, + + # Greeter theme + /var/lib/AccountsService/{,**} r, + /usr/share/desktop-base/{,**} r, + + # LightDM config files + /etc/lightdm/{,**} r, + + # LightDM logs + /var/log/lightdm/{,**} rw, + + owner @{HOME}/.face r, + + owner @{PROC}/@{pid}/fd/ r, + + # For account icons + @{HOME}/.dmrc r, + @{HOME}/.face r, + + /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx, + /usr/libexec/at-spi-bus-launcher rPUx, + + + profile systemd { + #include + + /{usr/,}lib/systemd/systemd mr, + + /etc/systemd/user.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + # file_inherit + /var/log/lightdm/seat[0-9]*-greeter.log w, + + } + + #include if exists +} diff --git a/apparmor.d/lightdm-guest-session b/apparmor.d/lightdm-guest-session new file mode 100644 index 00000000..f666cf75 --- /dev/null +++ b/apparmor.d/lightdm-guest-session @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# Profile for restricting lightdm guest session + +#include + +/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session { + # Most applications are confined via the main abstraction + #include + + # chromium-browser needs special confinement due to its sandboxing + #include + + # fcitx and friends needs special treatment due to C/S design + /usr/bin/fcitx ix, + /tmp/fcitx-socket-* rwl, + /dev/shm/* rwl, + /usr/bin/fcitx-qimpanel ix, + /usr/bin/sogou-qimpanel-watchdog ix, + /usr/bin/sogou-sys-notify ix, + /tmp/sogou-qimpanel:* rwl, + + # Allow ibus + unix (bind, listen) type=stream addr="@tmp/ibus/*", + + # mozc_server needs special treatment due to C/S design + unix (bind, listen) type=stream addr="@tmp/.mozc.*", +} diff --git a/apparmor.d/lightworks b/apparmor.d/lightworks new file mode 100644 index 00000000..746cdff2 --- /dev/null +++ b/apparmor.d/lightworks @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lightworks +profile lightworks @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}lib/lightworks/ntcardvt rPx, + + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/od rix, + + owner @{HOME}/Lightworks/{,**/} w, + owner @{HOME}/Lightworks/Projects/DefNetDrive.txt w, + owner @{HOME}/Lightworks/machine.num w, + + #include if exists +} diff --git a/apparmor.d/lightworks-ntcardvt b/apparmor.d/lightworks-ntcardvt new file mode 100644 index 00000000..fdc9c142 --- /dev/null +++ b/apparmor.d/lightworks-ntcardvt @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/lightworks/ntcardvt +profile lightworks-ntcardvt @{exec_path} { + #include + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/linssid b/apparmor.d/linssid new file mode 100644 index 00000000..6b899cb1 --- /dev/null +++ b/apparmor.d/linssid @@ -0,0 +1,114 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/linssid /{usr/,}bin/linssid-pkexec +profile linssid @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # For reading/saving config/log files when linssid is started via pkexec + #capability dac_read_search, + #capability dac_override, + + # Needed? + deny capability sys_admin, + deny capability sys_nice, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/cat rix, + + # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Linssid works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + /{usr/,}sbin/iw rCx -> iw, + /{usr/,}bin/pkexec rPx, + + # For regular run as root user + owner @{HOME}/.linssid.prefs rw, + owner @{HOME}/LinSSID.datalog rw, + # For pkexec + #@{HOME}/.linssid.prefs rw, + #@{HOME}/LinSSID.datalog rw, + + /usr/share/linssid/{,*} r, + + /usr/share/hwdata/pnp.ids r, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/net/wireless r, + owner @{PROC}/@{pid}/cmdline r, + + owner /tmp/runtime-root/ rw, + owner /tmp/linssid_* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile iw { + #include + + capability net_admin, + deny capability sys_module, + + /{usr/,}sbin/iw mr, + + # file_inherit + owner @{HOME}/.linssid.prefs rw, + owner @{HOME}/LinSSID.datalog rw, + owner /tmp/linssid_* rw, + owner /dev/dri/card[0-9]* rw, + + } + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + /{usr/,}bin/dbus-send mr, + /{usr/,}bin/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + + @{HOME}/.Xauthority r, + } + + #include if exists +} diff --git a/apparmor.d/lintian b/apparmor.d/lintian new file mode 100644 index 00000000..1107c6bf --- /dev/null +++ b/apparmor.d/lintian @@ -0,0 +1,168 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /usr/share/lintian/bin/lintian +@{exec_path} += /usr/share/lintian/bin/lintian-info +@{exec_path} += /usr/share/lintian/bin/spellintian +@{exec_path} += /{usr/,}bin/lintian +@{exec_path} += /{usr/,}bin/lintian-info +@{exec_path} += /{usr/,}bin/spellintian +profile lintian @{exec_path} flags=(complain) { + #include + #include + #include + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} r, + /{usr/,}bin/perl r, + + /usr/share/lintian/helpers/** rix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/fgrep rix, + /{usr/,}bin/env rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/find rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/file rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/sha{1,256,512}sum rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/filterdiff rix, + /{usr/,}bin/lexgrog rix, + + /{usr/,}bin/{,@{multiarch}-}ar rix, + /{usr/,}bin/{,@{multiarch}-}readelf rix, + /{usr/,}bin/{,@{multiarch}-}strings rix, + + /{usr/,}bin/dpkg-source rcx -> dpkg-source, + /{usr/,}bin/gpg rCx -> gpg, + + /{usr/,}bin/dpkg-deb rPx, + /{usr/,}bin/man rPx, + /{usr/,}bin/dpkg-architecture rPx, + + /usr/share/lintian/{,**} rk, + + /etc/lintianrc r, + + /etc/xml/catalog r, + + /dev/null rwk, + + # For file + /etc/magic r, + + owner /tmp/lintian-pool-*/ rw, + owner /tmp/lintian-pool-*/** rwkl -> /tmp/lintian-pool-*/**, + + # For gpg + owner /tmp/*/ rw, + owner /tmp/*/pubring.kbx w, + owner /tmp/*/random_seed w, + + owner /tmp/* rw, + + # For pbuilder + owner @{BUILD_DIR}/**.{changes,dsc,buildinfo,tar.*,deb} rk, + owner @{HOME}/**.{changes,dsc,buildinfo,tar.*,deb} rk, + + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pid}/environ r, + + /dev/ r, + /dev/**/ r, + + /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, + + /etc/dpkg/origins/debian r, + /usr/share/dpkg/{cpu,tuple}table r, + + + profile dpkg-source flags=(complain) { + #include + #include + #include + + /{usr/,}bin/dpkg-source mr, + /{usr/,}bin/perl r, + + /{usr/,}bin/tar rix, + /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/patch rix, + + /etc/dpkg/origins/debian r, + + owner /tmp/lintian-pool-*/** rw, + + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + owner @{HOME}/** rwkl -> @{HOME}/**, + audit deny owner @{HOME}/.* mrwkl, + audit deny owner @{HOME}/.*/ rw, + audit deny owner @{HOME}/.*/** mrwkl, + + # file_inherit + owner /tmp/* rw, + + } + + profile gpg flags=(complain) { + #include + + /{usr/,}bin/gpg mr, + + owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r, + owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r, + owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw, + owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/*/trustdb.gpg rw, + owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/*/pubring.kbx rw, + owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/*.gpg rw, + owner /tmp/*.gpg~ w, + owner /tmp/*.gpg.tmp rw, + owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw, + owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, + owner /{var/,}run/user/[0-9]*/gnupg/d.*/ rw, + + # file_inherit + owner /tmp/* rw, + + } + + #include if exists +} diff --git a/apparmor.d/linux-check-removal b/apparmor.d/linux-check-removal new file mode 100644 index 00000000..ffd509b7 --- /dev/null +++ b/apparmor.d/linux-check-removal @@ -0,0 +1,58 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/linux-check-removal +profile linux-check-removal @{exec_path} flags=(complain) { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + + profile frontend flags=(complain) { + #include + #include + #include + #include + + /usr/share/debconf/frontend r, + /{usr/,}bin/perl r, + + /{usr/,}bin/linux-check-removal rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + /{usr/,}bin/whiptail rPx, + owner /tmp/file* w, + + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + } + + #include if exists +} diff --git a/apparmor.d/linux-version b/apparmor.d/linux-version new file mode 100644 index 00000000..49ba413b --- /dev/null +++ b/apparmor.d/linux-version @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/linux-version +profile linux-version @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /boot/ r, + + #include if exists +} diff --git a/apparmor.d/localepurge b/apparmor.d/localepurge new file mode 100644 index 00000000..36078d82 --- /dev/null +++ b/apparmor.d/localepurge @@ -0,0 +1,66 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/localepurge +profile localepurge @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + + /{usr/,}bin/fgrep rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/du rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/find rix, + + /{usr/,}bin/df rPx, + + owner @{PROC}/@{pid}/fd/ r, + + /etc/locale.nopurge r, + + owner /var/cache/localepurge/localelist r, + owner /var/cache/localepurge/localelist-new{,.temp} rw, + + # Dirs cleaned from locales + /usr/share/{locale,man,omf,calendar}/{,**/} r, + /usr/share/{locale,man,omf,calendar}/**/** w, + /usr/share/{gnome/,}help/{,**/} r, + /usr/share/{gnome/,}help/**/** w, + /usr/share/cups/{templates,locale,doc-root}/{,**/} r, + /usr/share/cups/{templates,locale,doc-root}/**/** w, + /usr/share/vim/ r, + /usr/share/vim/vim[0-9]*/lang/{,**/} r, + /usr/share/vim/vim[0-9]*/lang/**/** w, + /usr/share/X11/locale/{,**/} r, + /usr/share/X11/locale/**/** w, + /usr/share/aptitude/{,*} r, + /usr/share/aptitude/* w, + + /tmp/ r, + + #include if exists +} diff --git a/apparmor.d/logrotate b/apparmor.d/logrotate new file mode 100644 index 00000000..ea8adf60 --- /dev/null +++ b/apparmor.d/logrotate @@ -0,0 +1,88 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/logrotate +profile logrotate @{exec_path} flags=(attach_disconnected,complain) { + #include + #include + + # Needed for logfiles owned by other users than root, for instance exim. + capability dac_read_search, + capability dac_override, + + capability chown, + capability setgid, + capability setuid, + capability fsetid, + capability fowner, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/gzip rix, + /{usr/,}sbin/invoke-rc.d rix, + /{usr/,}lib/rsyslog/rsyslog-rotate rix, + + # no new privs + #/{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/systemctl rix, + /{usr/,}sbin/runlevel rix, + #include + ptrace (read), + capability sys_ptrace, + owner @{PROC}/@{pid}/stat r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /etc/ r, + /etc/logrotate.conf rk, + /etc/logrotate.d/ r, + /etc/logrotate.d/* rk, + + /var/lib/logrotate/status{,.tmp} rw, + + /var/log/** rw, + + # Needed to remove the following error: + # logrotate[]: error: could not change directory to '.' + / r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + + profile systemctl flags=(attach_disconnected, complain) { + #include + #include + + capability sys_ptrace, + ptrace (read), + + /{usr/,}bin/systemctl mr, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg rw, + + } + + #include if exists +} diff --git a/apparmor.d/lsb_release b/apparmor.d/lsb_release new file mode 100644 index 00000000..5cc6890b --- /dev/null +++ b/apparmor.d/lsb_release @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lsb_release +profile lsb_release @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/dpkg-query rPx, + + /etc/lsb-release r, + /etc/debian_version r, + /etc/dpkg/origins/debian r, + /usr/share/distro-info/debian.csv r, + + owner @{PROC}/@{pid}/fd/ r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/lsblk b/apparmor.d/lsblk new file mode 100644 index 00000000..ccf871a6 --- /dev/null +++ b/apparmor.d/lsblk @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lsblk +profile lsblk @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mountinfo r, + + /{var/,}run/mount/utab r, + + #include if exists +} diff --git a/apparmor.d/lscpu b/apparmor.d/lscpu new file mode 100644 index 00000000..b728125a --- /dev/null +++ b/apparmor.d/lscpu @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lscpu +profile lscpu @{exec_path} { + #include + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/bus/pci/devices r, + + @{sys}/devices/system/cpu/{,**} r, + + @{sys}/firmware/dmi/tables/DMI r, + + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/cpumap r, + + #include if exists +} diff --git a/apparmor.d/lsinitramfs b/apparmor.d/lsinitramfs new file mode 100644 index 00000000..5fced545 --- /dev/null +++ b/apparmor.d/lsinitramfs @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lsinitramfs +profile lsinitramfs @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/cat rix, + /{usr/,}bin/getopt rix, + + /{usr/,}bin/unmkinitramfs rPx, + + #include if exists +} diff --git a/apparmor.d/lspci b/apparmor.d/lspci new file mode 100644 index 00000000..94537984 --- /dev/null +++ b/apparmor.d/lspci @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lspci +profile lspci @{exec_path} { + #include + #include + + # Needed when run as root + capability sys_admin, + + @{exec_path} mr, + + @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/slots/ r, + @{sys}/devices/pci[0-9]*/** r, + + /usr/share/misc/pci.ids r, + /usr/share/misc/pci.ids.gz r, + + /etc/udev/hwdb.bin r, + + /etc/modprobe.d/{,*.conf} r, + + owner @{HOME}/.pciids-cache.tmp-*-@{pid} rw, + owner @{HOME}/.pciids-cache rw, + + @{PROC}/cmdline r, + + # file_inherit + @{PROC}/ioports r, + + #include if exists +} diff --git a/apparmor.d/lsusb b/apparmor.d/lsusb new file mode 100644 index 00000000..41a34d97 --- /dev/null +++ b/apparmor.d/lsusb @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lsusb +profile lsusb @{exec_path} { + #include + + @{exec_path} mr, + + /dev/bus/usb/ r, + /dev/bus/usb/** rw, + + @{sys}/class/ r, + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r, + + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + /{var/,}run/udev/data/+usb:* r, # + + /etc/udev/hwdb.bin r, + + #include if exists +} diff --git a/apparmor.d/lxappearance b/apparmor.d/lxappearance new file mode 100644 index 00000000..8a8a67c2 --- /dev/null +++ b/apparmor.d/lxappearance @@ -0,0 +1,75 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lxappearance +profile lxappearance @{exec_path} { + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # When lxappearance is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Lxappearance works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + /usr/share/lxappearance/{,**} r, + + owner @{HOME}/.themes/{,**} r, + owner @{HOME}/.icons/{,**} rw, + + owner @{HOME}/.gtkrc-2.0{,.*} rw, + owner @{HOME}/.config/gtk-3.0/settings.ini{,.*} rw, + + /etc/X11/cursors/*.theme r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + /{usr/,}bin/dbus-send mr, + /{usr/,}bin/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + + @{HOME}/.Xauthority r, + } + + #include if exists +} diff --git a/apparmor.d/lxc-containers b/apparmor.d/lxc-containers new file mode 100644 index 00000000..0644cf2d --- /dev/null +++ b/apparmor.d/lxc-containers @@ -0,0 +1,7 @@ +# This file exists only to ensure that all per-container policies +# listed under /etc/apparmor.d/lxc get loaded at boot. Please do +# not edit this file. + +#include + +#include diff --git a/apparmor.d/lxc/lxc-default b/apparmor.d/lxc/lxc-default new file mode 100644 index 00000000..9a96a2e5 --- /dev/null +++ b/apparmor.d/lxc/lxc-default @@ -0,0 +1,11 @@ +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which +# will source all profiles under /etc/apparmor.d/lxc + +profile lxc-container-default flags=(attach_disconnected,mediate_deleted) { + #include + + # the container may never be allowed to mount devpts. If it does, it + # will remount the host's devpts. We could allow it to do it with + # the newinstance option (but, right now, we don't). + deny mount fstype=devpts, +} diff --git a/apparmor.d/lxc/lxc-default-cgns b/apparmor.d/lxc/lxc-default-cgns new file mode 100644 index 00000000..f69eb994 --- /dev/null +++ b/apparmor.d/lxc/lxc-default-cgns @@ -0,0 +1,13 @@ +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which +# will source all profiles under /etc/apparmor.d/lxc + +profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) { + #include + + # the container may never be allowed to mount devpts. If it does, it + # will remount the host's devpts. We could allow it to do it with + # the newinstance option (but, right now, we don't). + deny mount fstype=devpts, + mount fstype=cgroup -> /sys/fs/cgroup/**, + mount fstype=cgroup2 -> /sys/fs/cgroup/**, +} diff --git a/apparmor.d/lxc/lxc-default-with-mounting b/apparmor.d/lxc/lxc-default-with-mounting new file mode 100644 index 00000000..8a9a6b71 --- /dev/null +++ b/apparmor.d/lxc/lxc-default-with-mounting @@ -0,0 +1,14 @@ +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which +# will source all profiles under /etc/apparmor.d/lxc + +profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) { + #include + +# allow standard blockdevtypes. +# The concern here is in-kernel superblock parsers bringing down the +# host with bad data. However, we continue to disallow proc, sys, securityfs, +# etc to nonstandard locations. + mount fstype=ext*, + mount fstype=xfs, + mount fstype=btrfs, +} diff --git a/apparmor.d/lxc/lxc-default-with-nesting b/apparmor.d/lxc/lxc-default-with-nesting new file mode 100644 index 00000000..cd198beb --- /dev/null +++ b/apparmor.d/lxc/lxc-default-with-nesting @@ -0,0 +1,15 @@ +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which +# will source all profiles under /etc/apparmor.d/lxc + +profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) { + #include + #include + + deny /dev/.lxc/proc/** rw, + deny /dev/.lxc/sys/** rw, + mount fstype=proc -> /var/cache/lxc/**, + mount fstype=sysfs -> /var/cache/lxc/**, + mount options=(rw,bind), + mount fstype=cgroup -> /sys/fs/cgroup/**, + mount fstype=cgroup2 -> /sys/fs/cgroup/**, +} diff --git a/apparmor.d/lynx b/apparmor.d/lynx new file mode 100644 index 00000000..24a660c5 --- /dev/null +++ b/apparmor.d/lynx @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/lynx +profile lynx @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /etc/lynx/{,*} r, + + /usr/share/doc/lynx-common/** r, + + /etc/mime.types r, + + /{usr/,}bin/dash rix, + /etc/mailcap r, + + owner /tmp/lynxXXXX*/ rw, + owner /tmp/lynxXXXX*/*TMP.html{,.gz} rw, + + #include if exists +} diff --git a/apparmor.d/macchanger b/apparmor.d/macchanger new file mode 100644 index 00000000..3cafe709 --- /dev/null +++ b/apparmor.d/macchanger @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/macchanger +profile macchanger @{exec_path} { + #include + + capability net_admin, + + @{exec_path} mr, + + /usr/share/macchanger/*.list r, + + /dev/hwrng r, + + #include if exists +} diff --git a/apparmor.d/mediainfo b/apparmor.d/mediainfo new file mode 100644 index 00000000..6824b910 --- /dev/null +++ b/apparmor.d/mediainfo @@ -0,0 +1,58 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{mediainfo_ext} = [aA]{52,[aA][cC],[cC]3} +@{mediainfo_ext} += [mM][kK][aA] +@{mediainfo_ext} += [fF][lL][aA][cC] +@{mediainfo_ext} += [mM][pP][123cC] +@{mediainfo_ext} += [oO][gGmM][aA] +@{mediainfo_ext} += [wW]{,[aA]}[vV] +@{mediainfo_ext} += [wW][mM]{,[aA]} +@{mediainfo_ext} += 3[gG]{[2pP],[pP][2pP]} +@{mediainfo_ext} += [aA][sS][fF] +@{mediainfo_ext} += [aA][vV][iI] +@{mediainfo_ext} += [dD][iI][vV][xX] +@{mediainfo_ext} += [mM][124][vV] +@{mediainfo_ext} += [mM][kKoO][vV] +@{mediainfo_ext} += [mM][pP][4aAeEgG] +@{mediainfo_ext} += [mM][pP][eE][gG]{,[124]} +@{mediainfo_ext} += [oO][gG][gGmMxXvV] +@{mediainfo_ext} += [rR][mM]{,[vV][bB]} +@{mediainfo_ext} += [wW][eE][bB][mM] +@{mediainfo_ext} += [wW][mMtT][vV] +@{mediainfo_ext} += [mM][pP]2[tT] + +@{exec_path} = /{usr/,}bin/mediainfo +profile mediainfo @{exec_path} { + #include + #include + + @{exec_path} mr, + + # Which media files mediainfo should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{mediainfo_ext} r, + + #include if exists +} diff --git a/apparmor.d/megasync b/apparmor.d/megasync new file mode 100644 index 00000000..0dd557e2 --- /dev/null +++ b/apparmor.d/megasync @@ -0,0 +1,110 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{SYNC_FOLDER}=/media/*/cloud_storage + +@{exec_path} = /{usr/,}bin/megasync +profile megasync @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/bash rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/xdg-mime rPx, + + /{usr/,}bin/xdg-open rCx -> open, + + # Megasync home files + owner @{HOME}/ r, + owner "@{HOME}/.local/share/data/Mega Limited/" rw, + owner "@{HOME}/.local/share/data/Mega Limited/**" rwkl -> "@{HOME}/.local/share/data/Mega Limited/MEGAsync/#[0-9]*[0-9]", + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{HOME}/.config/QtProject.conf r, + + # Sync folder + #/ r, + #/media/ r, + #/media/*/ r, + owner @{SYNC_FOLDER}/ r, + owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**, + + # Proc filesystem + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + /etc/fstab r, + + # Autostart + owner @{HOME}/.config/autostart/#[0-9]*[0-9] rw, + owner @{HOME}/.config/autostart/megasync.desktop rwl -> @{HOME}/.config/autostart/#[0-9]*[0-9], + + /dev/shm/#[0-9]*[0-9] rw, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/spacefm rPx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/spacefm rPx, + + # file_inherit + owner "@{HOME}/.local/share/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw, + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/memtester b/apparmor.d/memtester new file mode 100644 index 00000000..04adc6e7 --- /dev/null +++ b/apparmor.d/memtester @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/memtester +profile memtester @{exec_path} { + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/mimetype b/apparmor.d/mimetype new file mode 100644 index 00000000..491715c5 --- /dev/null +++ b/apparmor.d/mimetype @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/mimetype +profile mimetype @{exec_path} { + #include + #include + + @{exec_path} r, + /usr/bin/perl r, + + /usr/share/mime/**.xml r, + /usr/share/mime/globs r, + /usr/share/mime/aliases r, + /usr/share/mime/magic r, + + owner @{HOME}/.local/share/mime/**.xml r, + owner @{HOME}/.local/share/mime/globs r, + owner @{HOME}/.local/share/mime/aliases r, + owner @{HOME}/.local/share/mime/magic r, + + # To read files + /** r, + + #include if exists +} diff --git a/apparmor.d/minitube b/apparmor.d/minitube new file mode 100644 index 00000000..708aa33a --- /dev/null +++ b/apparmor.d/minitube @@ -0,0 +1,117 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/minitube +profile minitube @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Minitube home files + owner "@{HOME}/.config/Flavio Tordini/" rw, + owner "@{HOME}/.config/Flavio Tordini/*" rwkl -> "@{HOME}/.config/Flavio Tordini/#[0-9]*[0-9]", + owner "@{HOME}/.local/share/Flavio Tordini/" rw, + owner "@{HOME}/.local/share/Flavio Tordini/Minitube/" rw, + owner "@{HOME}/.local/share/Flavio Tordini/Minitube/*" rwk, + + # Snapshot + owner @{HOME}/Pictures/*.png rw, + owner @{HOME}/vlcsnap-.png rw, + + /usr/share/minitube/{,**} r, + + # If one is blocked, the others are probed. + deny owner @{HOME}/#[0-9]*[0-9] mrw, + owner @{HOME}/.glvnd* mrw, + # owner /tmp/#[0-9]*[0-9] mrw, + # owner /tmp/.glvnd* mrw, + + # Cache + owner @{HOME}/.cache/ rw, + owner "@{HOME}/.cache/Flavio Tordini/" rw, + owner "@{HOME}/.cache/Flavio Tordini/Minitube/" rw, + owner "@{HOME}/.cache/Flavio Tordini/Minitube/**" rwl -> "@{HOME}/.cache/Flavio Tordini/Minitube/**", + + owner @{HOME}/.cache/qtshadercache/ rw, + owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + deny /dev/ r, + /dev/shm/#[0-9]*[0-9] rw, + + /etc/vdpau_wrapper.cfg r, + + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/core_pattern r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + # TMP + owner /tmp/qtsingleapp-minitu-* rw, + owner /tmp/qtsingleapp-minitu-*-lockfile rwk, + + /{usr/,}bin/xdg-open rCx -> open, + + # Be able to turn off the screensaver while playing movies + /{usr/,}bin/xdg-screensaver rPUx, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/mke2fs b/apparmor.d/mke2fs new file mode 100644 index 00000000..5eca554e --- /dev/null +++ b/apparmor.d/mke2fs @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4} +profile mke2fs @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + # To check for badblocks + /{usr/,}bin/dash rix, + /{usr/,}sbin/badblocks rPx, + + /etc/mke2fs.conf r, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + + owner /{,var/}run/blkid/blkid.tab{,-*} rw, + owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + # For virt-resize + owner /var/tmp/.guestfs-[0-9]*/** rwk, + + #include if exists +} diff --git a/apparmor.d/mkfs-btrfs b/apparmor.d/mkfs-btrfs new file mode 100644 index 00000000..ef181017 --- /dev/null +++ b/apparmor.d/mkfs-btrfs @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/mkfs.btrfs +profile mkfs-btrfs @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + /dev/btrfs-control rw, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/mkfs-fat b/apparmor.d/mkfs-fat new file mode 100644 index 00000000..dc82306e --- /dev/null +++ b/apparmor.d/mkfs-fat @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs} +profile mkfs-fat @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/mkinitramfs b/apparmor.d/mkinitramfs new file mode 100644 index 00000000..65c58abd --- /dev/null +++ b/apparmor.d/mkinitramfs @@ -0,0 +1,154 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/mkinitramfs +profile mkinitramfs @{exec_path} { + #include + #include + + capability syslog, + capability chown, + capability fowner, + capability fsetid, + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/getopt rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/tsort rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/id rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cpio rix, + /{usr/,}bin/env rix, + /{usr/,}bin/rmdir rix, + + /{usr/,}bin/ldd rCx -> ldd, + /{usr/,}sbin/ldconfig rCx -> ldconfig, + /{usr/,}bin/find rCx -> find, + /{usr/,}bin/kmod rCx -> kmod, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + # What to do with it? (#FIXME#) + /usr/share/initramfs-tools/hooks/* rPUx, + /usr/share/initramfs-tools/scripts/*/* rPUx, + /etc/initramfs-tools/hooks/* rPUx, + /etc/initramfs-tools/scripts/*/* rPUx, + + /usr/share/initramfs-tools/{,**} r, + /etc/initramfs-tools/{,**} r, + + / r, + /etc/ r, + /etc/modprobe.d/{,*.conf} r, + + owner /boot/initrd.img-*.new rw, + + owner /var/tmp/mkinitramfs_*/ rw, + owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, + /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, + owner /var/tmp/mkinitramfs-* rw, + + @{PROC}/modules r, + + + profile ldd { + #include + #include + + /{usr/,}bin/ldd mr, + + /{usr/,}bin/kmod mr, + /{usr/,}bin/bash r, + + /{usr/,}lib/@{multiarch}/ld-*.so rix, + /{usr/,}lib{,x}32/ld-*.so rix, + + } + + profile ldconfig { + #include + #include + + capability sys_chroot, + + /{usr/,}sbin/ldconfig mr, + + owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, + owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, + + owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r, + owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r, + owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw, + owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw, + + owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw, + + owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw, + owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw, + + } + + profile find { + #include + #include + + /{usr/,}bin/find mr, + + # pwd dir + / r, + /root/ r, + + /usr/share/initramfs-tools/scripts/{,**/} r, + /etc/initramfs-tools/scripts/{,**/} r, + + owner /var/tmp/mkinitramfs_*/{,**/} r, + + } + + profile kmod { + #include + #include + + /{usr/,}bin/kmod mr, + + @{PROC}/cmdline r, + + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r, + + } + + #include if exists +} diff --git a/apparmor.d/mkntfs b/apparmor.d/mkntfs new file mode 100644 index 00000000..4fb30284 --- /dev/null +++ b/apparmor.d/mkntfs @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/{mkntfs,mkfs.ntfs} +profile mkntfs @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pids}/mounts r, + + #include if exists +} diff --git a/apparmor.d/mkswap b/apparmor.d/mkswap new file mode 100644 index 00000000..5a11d895 --- /dev/null +++ b/apparmor.d/mkswap @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/mkswap +profile mkswap @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + + # SWAP file common locations + owner /swapfile rw, + + #include if exists +} diff --git a/apparmor.d/mkvmerge b/apparmor.d/mkvmerge new file mode 100644 index 00000000..30463322 --- /dev/null +++ b/apparmor.d/mkvmerge @@ -0,0 +1,73 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{mkvmerge_ext} = [aA]{52,[aA][cC],[cC]3} +@{mkvmerge_ext} += [mM][kK][aA] +@{mkvmerge_ext} += [fF][lL][aA][cC] +@{mkvmerge_ext} += [mM][pP][123cC] +@{mkvmerge_ext} += [oO][gGmM][aA] +@{mkvmerge_ext} += [wW]{,[aA]}[vV] +@{mkvmerge_ext} += [wW][mM]{,[aA]} +@{mkvmerge_ext} += 3[gG]{[2pP],[pP][2pP]} +@{mkvmerge_ext} += [aA][sS][fF] +@{mkvmerge_ext} += [aA][vV][iI] +@{mkvmerge_ext} += [dD][iI][vV][xX] +@{mkvmerge_ext} += [mM][124][vV] +@{mkvmerge_ext} += [mM][kKoO][vV] +@{mkvmerge_ext} += [mM][pP][4aAeEgG] +@{mkvmerge_ext} += [mM][pP][eE][gG]{,[124]} +@{mkvmerge_ext} += [oO][gG][gGmMxXvV] +@{mkvmerge_ext} += [rR][mM]{,[vV][bB]} +@{mkvmerge_ext} += [wW][eE][bB][mM] +@{mkvmerge_ext} += [wW][mMtT][vV] +@{mkvmerge_ext} += [mM][pP]2[tT] + +# Subtitle extensions: +# srt, txt, sub +@{mkvmerge_ext} += [sS][rR][tT] +@{mkvmerge_ext} += [tT][xX][tT] +@{mkvmerge_ext} += [sS][uU][bB] + +@{exec_path} = /{usr/,}bin/mkvmerge +profile mkvmerge @{exec_path} { + #include + #include + #include + + signal (receive) set=(term, kill) peer=mkvtoolnix-gui, + + @{exec_path} mr, + + # Which files mkvmerge should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{mkvmerge_ext} rw, + + owner /tmp/MKVToolNix-process-*.json r, + owner /tmp/MKVToolNix-GUI-MuxJob-*.json r, + + # file_inherit + /dev/dri/card[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/mkvtoolnix-gui b/apparmor.d/mkvtoolnix-gui new file mode 100644 index 00000000..bdaad7b0 --- /dev/null +++ b/apparmor.d/mkvtoolnix-gui @@ -0,0 +1,117 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{mkvtoolnix_ext} = [aA]{52,[aA][cC],[cC]3} +@{mkvtoolnix_ext} += [mM][kK][aA] +@{mkvtoolnix_ext} += [fF][lL][aA][cC] +@{mkvtoolnix_ext} += [mM][pP][123cC] +@{mkvtoolnix_ext} += [oO][gGmM][aA] +@{mkvtoolnix_ext} += [wW]{,[aA]}[vV] +@{mkvtoolnix_ext} += [wW][mM]{,[aA]} +@{mkvtoolnix_ext} += 3[gG]{[2pP],[pP][2pP]} +@{mkvtoolnix_ext} += [aA][sS][fF] +@{mkvtoolnix_ext} += [aA][vV][iI] +@{mkvtoolnix_ext} += [dD][iI][vV][xX] +@{mkvtoolnix_ext} += [mM][124][vV] +@{mkvtoolnix_ext} += [mM][kKoO][vV] +@{mkvtoolnix_ext} += [mM][pP][4aAeEgG] +@{mkvtoolnix_ext} += [mM][pP][eE][gG]{,[124]} +@{mkvtoolnix_ext} += [oO][gG][gGmMxXvV] +@{mkvtoolnix_ext} += [rR][mM]{,[vV][bB]} +@{mkvtoolnix_ext} += [wW][eE][bB][mM] +@{mkvtoolnix_ext} += [wW][mMtT][vV] +@{mkvtoolnix_ext} += [mM][pP]2[tT] + +# Subtitle extensions: +# srt, txt, sub +@{mkvtoolnix_ext} += [sS][rR][tT] +@{mkvtoolnix_ext} += [tT][xX][tT] +@{mkvtoolnix_ext} += [sS][uU][bB] + +@{exec_path} = /{usr/,}bin/mkvtoolnix-gui +profile mkvtoolnix-gui @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=mkvmerge, + + @{exec_path} mr, + + /{usr/,}bin/mkvmerge rPx, + + # Which files mkvtoolnix should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{mkvtoolnix_ext} rw, + + owner @{HOME}/.config/bunkus.org/ rw, + owner @{HOME}/.config/bunkus.org/mkvtoolnix-gui/ rw, + owner @{HOME}/.config/bunkus.org/mkvtoolnix-gui/** rwkl -> @{HOME}/.config/bunkus.org/mkvtoolnix-gui/#[0-9]*[0-9], + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/bunkus.org/ rw, + owner @{HOME}/.cache/bunkus.org/mkvtoolnix-gui/ rw, + owner @{HOME}/.cache/bunkus.org/mkvtoolnix-gui/**/ rw, + owner @{HOME}/.cache/bunkus.org/mkvtoolnix-gui/**/[0-9a-f]* rw, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw, + + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /dev/shm/#[0-9]*[0-9] rw, + + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/mlocate b/apparmor.d/mlocate new file mode 100644 index 00000000..335985aa --- /dev/null +++ b/apparmor.d/mlocate @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/mlocate +profile mlocate @{exec_path} { + #include + #include + + # When run as root + capability dac_read_search, + + @{exec_path} mr, + + /var/lib/mlocate/mlocate.db r, + + #include if exists +} diff --git a/apparmor.d/mount b/apparmor.d/mount new file mode 100644 index 00000000..48b0f8fd --- /dev/null +++ b/apparmor.d/mount @@ -0,0 +1,64 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/mount +profile mount @{exec_path} flags=(complain) { + #include + #include + #include + + # To be able to mount anything + # mount("/dev/sdb1", "/mnt", "ext4", 0, NULL) = -1 EPERM (Operation not permitted) + # write(2, "/mnt: permission denied.", 24) = 24 + capability sys_admin, + + # For NTFS mounts + capability setgid, + capability setuid, + + mount, + + @{exec_path} mr, + + /{usr/,}bin/ntfs-3g rPx, + /{usr/,}sbin/mount.cifs rPx, + + # Mount points + /media/*/ r, + /media/*/*/ r, + /mnt/ r, + /mnt/*/ r, + /media/cdrom[0-9]/ r, + + # Mount iso/img files + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + # The special /dev/loop-control file can be used to create and destroy loop devices or to find + # the first available loop device. + /dev/loop-control rw, + + /etc/fstab r, + + owner @{PROC}/@{pid}/mountinfo r, + + owner /{,var/}run/mount/ rw, + owner /{,var/}run/mount/utab{,.*} rw, + owner /{,var/}run/mount/utab.lock wk, + + #include if exists +} diff --git a/apparmor.d/mount.cifs b/apparmor.d/mount.cifs new file mode 100644 index 00000000..eb04aaa1 --- /dev/null +++ b/apparmor.d/mount.cifs @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/mount.cifs +profile mount.cifs @{exec_path} flags=(complain) { + #include + + # To mount anything. + capability sys_admin, + + # (#FIXME#) + capability setpcap, + + @{exec_path} mr, + + /etc/fstab r, + + owner @{HOME}/.smbcredentials r, + + # Mount points + /media/*/ r, + /media/*/*/ r, + + # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=cifs -> /media/*/, + mount fstype=cifs -> /media/*/*/, + + #include if exists +} diff --git a/apparmor.d/mpsyt b/apparmor.d/mpsyt new file mode 100644 index 00000000..9dd9c0ed --- /dev/null +++ b/apparmor.d/mpsyt @@ -0,0 +1,66 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/mpsyt +profile mpsyt @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=mpv, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/tset rix, + /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/uname rix, + + /{usr/,}bin/mpv rPUx, + /{usr/,}bin/ffmpeg rPUx, + /{usr/,}bin/ffprobe rPUx, + + # MPV config files + /etc/mpv/* r, + owner @{HOME}/.config/mpv/* r, + + # mps-yt config files + owner @{HOME}/.config/mps-youtube/{,**} rw, + + # Cache files + owner @{HOME}/.cache/youtube-dl/youtube-sigfuncs/js_*.json{,.*.tmp} rw, + + # Download DIR + /media/Kabi/YT/ r, + /media/Kabi/YT/** rw, + + /etc/inputrc r, + /etc/mime.types r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + /tmp/ r, + owner /tmp/[a-z0-9]* rw, + owner /tmp/mpsyt-input* rw, + owner /tmp/mpsyt-mpv*.sock rw, + + #include if exists +} diff --git a/apparmor.d/mpv b/apparmor.d/mpv new file mode 100644 index 00000000..b98e680e --- /dev/null +++ b/apparmor.d/mpv @@ -0,0 +1,155 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{mpv_ext} = [aA]{52,[aA][cC],[cC]3} +@{mpv_ext} += [mM][kK][aA] +@{mpv_ext} += [fF][lL][aA][cC] +@{mpv_ext} += [mM][pP][123cC] +@{mpv_ext} += [oO][gGmM][aA] +@{mpv_ext} += [wW]{,[aA]}[vV] +@{mpv_ext} += [wW][mM]{,[aA]} +@{mpv_ext} += 3[gG]{[2pP],[pP][2pP]} +@{mpv_ext} += [aA][sS][fF] +@{mpv_ext} += [aA][vV][iI] +@{mpv_ext} += [dD][iI][vV][xX] +@{mpv_ext} += [mM][124][vV] +@{mpv_ext} += [mM][kKoO][vV] +@{mpv_ext} += [mM][pP][4aAeEgG] +@{mpv_ext} += [mM][pP][eE][gG]{,[124]} +@{mpv_ext} += [oO][gG][gGmMxXvV] +@{mpv_ext} += [rR][mM]{,[vV][bB]} +@{mpv_ext} += [wW][eE][bB][mM] +@{mpv_ext} += [wW][mMtT][vV] +@{mpv_ext} += [mM][pP]2[tT] + +# Image extensions +# bmp, jpg, jpeg, png, gif +@{mpv_ext} += [bB][mM][pP] +@{mpv_ext} += [jJ][pP]{,[eE]}[gG] +@{mpv_ext} += [pP][nN][gG] +@{mpv_ext} += [gG][iI][fF] + +# Subtitle extensions: +# srt, txt, sub +@{mpv_ext} += [sS][rR][tT] +@{mpv_ext} += [tT][xX][tT] +@{mpv_ext} += [sS][uU][bB] + +# Playlist extensions: +# m3u, m3u8, pls +@{mpv_ext} += [mM]3[uU]{,8} +@{mpv_ext} += [pP][lL][sS] + +# For Qbittorrent !qB extension +@{mpv_ext} += "!qB" + + +@{exec_path} = /{usr/,}bin/mpv +profile mpv @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill), + + signal (send) set=(term, kill) peer=youtube-dl, + + @{exec_path} mr, + + # MPV config files + /etc/mpv/* r, + owner @{HOME}/.config/mpv/ rw, + owner @{HOME}/.config/mpv/* rw, + + # Which files MPV should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + /tmp/ r, + owner /tmp/mpsyt-input* rw, + owner /tmp/mpsyt-mpv*.sock rw, + owner /tmp/smplayer-mpv-* rw, + owner /tmp/mozilla_*/ r, + owner /{home,media,tmp/mozilla_*}/**.@{mpv_ext} rw, + + # For the SMPlayer's builtin thumbnail generator + owner /tmp/smplayer_preview/[0-9]*.{jpg,png} w, + + # For SMPlayer's screenshots + owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w, + + # Media downloaded by firefox + #deny owner /tmp/mozilla_*/* r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/ r, + + ##include + /etc/vdpau_wrapper.cfg r, + + /etc/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/[0-9][0-9]_*.json r, + + # What's this for? (since v0.30.0) + @{sys}/bus/ r, + @{sys}/class/ r, + # + @{sys}/class/input/ r, + @{sys}/devices/**/input/**/uevent r, + @{sys}/devices/**/input/**/capabilities/* r, + /dev/input/event[0-9]* r, + /{var/,}run/udev/data/+input:input[0-9]* r, + /{var/,}run/udev/data/c13:[0-9]* r, # for /dev/input/* + # + @{sys}/class/sound/ r, + @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/**/sound/**/capabilities/* r, + /{var/,}run/udev/data/+sound:* r, + /{var/,}run/udev/data/c116:[0-9]* r, # for ALSA + + # Be able to turn off the screensaver while playing movies + /{usr/,}bin/xdg-screensaver rPUx, + + # External apps + /{usr/,}bin/youtube-dl rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/mtools b/apparmor.d/mtools new file mode 100644 index 00000000..6d440249 --- /dev/null +++ b/apparmor.d/mtools @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip} +profile mtools @{exec_path} { + #include + #include + #include + #include + + capability setuid, + capability setgid, + + @{exec_path} mr, + + # Mtools config file locations + /etc/mtools.conf r, + /etc/default/mtools.conf r, + owner @{HOME}/.mtoolsrc r, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/mumble b/apparmor.d/mumble new file mode 100644 index 00000000..814bded5 --- /dev/null +++ b/apparmor.d/mumble @@ -0,0 +1,96 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/mumble +profile mumble @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-open rCx -> open, + + # Mumble home files + owner @{HOME}/ r, + owner @{HOME}/.config/Mumble/ rw, + owner @{HOME}/.config/Mumble/** rwkl -> @{HOME}/.config/Mumble/#[0-9]*[0-9], + owner @{HOME}/.local/share/Mumble/ rw, + owner @{HOME}/.local/share/Mumble/** rwk, + owner @{HOME}/.MumbleOverlayPipe rw, + owner @{HOME}/.MumbleSocket rw, + + owner @{HOME}/.jackdrc r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /dev/shm/MumbleLink.[0-9]*[0-9] rw, + /dev/shm/#[0-9]*[0-9] rw, + + owner /{var/,}run/user/[0-9]*/MumbleSocket rw, + owner /{var/,}run/user/[0-9]*/MumbleOverlayPipe rw, + + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + + /etc/fstab r, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/hwdata/pnp.ids r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/mumble-overlay b/apparmor.d/mumble-overlay new file mode 100644 index 00000000..60af44bb --- /dev/null +++ b/apparmor.d/mumble-overlay @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/mumble-overlay +profile mumble-overlay @{exec_path} { + #include + #include + #include + + @{exec_path} r, + + /{usr/,}bin/bash rix, + /{usr/,}bin/file rix, + /{usr/,}bin/which rix, + + /{usr/,}bin/glxgears rPx, + + /etc/magic r, + + #include if exists +} diff --git a/apparmor.d/netcap b/apparmor.d/netcap new file mode 100644 index 00000000..1242bbdf --- /dev/null +++ b/apparmor.d/netcap @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/netcap +profile netcap @{exec_path} { + #include + #include + + capability sys_ptrace, + + # To get access to all of the @{PROC}/@{pids}/fd/ dirs, which sometimes can be owned by other + # users than root, for instance systemd-timesync. + capability dac_read_search, + + ptrace (read), + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pid}/net/tcp{,6} r, + owner @{PROC}/@{pid}/net/udp{,6} r, + owner @{PROC}/@{pid}/net/raw{,6} r, + owner @{PROC}/@{pid}/net/packet r, + owner @{PROC}/@{pid}/net/dev r, + + #include if exists +} diff --git a/apparmor.d/nethogs b/apparmor.d/nethogs new file mode 100644 index 00000000..a839e999 --- /dev/null +++ b/apparmor.d/nethogs @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/nethogs +profile nethogs @{exec_path} { + #include + #include + + capability syslog, + capability net_raw, + capability dac_read_search, + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/net/tcp{,6} r, + + #include if exists +} diff --git a/apparmor.d/networkctl b/apparmor.d/networkctl new file mode 100644 index 00000000..b2572944 --- /dev/null +++ b/apparmor.d/networkctl @@ -0,0 +1,57 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/networkctl +profile networkctl @{exec_path} flags=(complain) { + #include + + # To be able to manage network interfaces, + capability net_admin, + + # Needed? (#FIXME#) + audit deny capability sys_resource, + audit deny capability sys_module, + + signal send peer=child-pager, + + @{exec_path} mr, + + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + @{sys}/devices/**/net/**/uevent r, + + /{var/,}run/systemd/netif/links/[0-9]* r, + /{var/,}run/systemd/netif/state r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/random/boot_id r, + + /etc/udev/hwdb.bin r, + + # To be able to read logs + /{var/,}run/log/ r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/[0-9a-f]*/ r, + /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r, + /{run,var}/log/journal/[0-9a-f]*/system.journal* r, + /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + #include if exists +} diff --git a/apparmor.d/newgrp b/apparmor.d/newgrp new file mode 100644 index 00000000..2ff834ec --- /dev/null +++ b/apparmor.d/newgrp @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/newgrp +profile newgrp @{exec_path} { + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To remove the following errors: + # setgroups: Operation not permitted + # setgid: Operation not permitted + capability setgid, + + # newgrp is a SETUID binary + capability setuid, + + @{exec_path} mr, + + # Shells to use + /{usr/,}bin/{,b,d,rb}ash rPUx, + /{usr/,}bin/{c,k,tc,z}sh rPUx, + + /etc/{passwd,group,shadow,gshadow} r, + + /etc/login.defs r, + + owner @{PROC}/@{pid}/loginuid r, + + #include if exists +} diff --git a/apparmor.d/nft b/apparmor.d/nft new file mode 100644 index 00000000..0f01a16a --- /dev/null +++ b/apparmor.d/nft @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/nft +profile nft @{exec_path} { + #include + #include + + capability net_admin, + + @{exec_path} mr, + + owner /etc/iproute2/** r, + + owner /etc/nftables/**.nft r, + + #include if exists +} diff --git a/apparmor.d/nmap b/apparmor.d/nmap new file mode 100644 index 00000000..24671812 --- /dev/null +++ b/apparmor.d/nmap @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/nmap +profile nmap @{exec_path} { + #include + #include + #include + #include + + capability net_raw, + capability net_bind_service, + + signal (receive) set=(term, kill) peer=zenmap, + + @{exec_path} r, + + owner @{PROC}/@{pid}/net/dev r, + owner @{PROC}/@{pid}/net/if_inet6 r, + + /usr/share/nmap/** r, + + owner /tmp/zenmap-stdout-* rw, + owner /tmp/zenmap-*.xml rw, + + #include if exists +} diff --git a/apparmor.d/ntfs-3g b/apparmor.d/ntfs-3g new file mode 100644 index 00000000..c1cc9dc3 --- /dev/null +++ b/apparmor.d/ntfs-3g @@ -0,0 +1,54 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/{low,}ntfs{,-3g} +@{exec_path} += /{usr/,}sbin/mount.{low,}ntfs{,-3g} +profile ntfs-3g @{exec_path} { + #include + #include + # When UserMapping is placed under /.NTFS-3G/UserMapping on the NTFS volume + #include + + # Needed in order to mount ntfs disks + capability setgid, + capability setuid, + capability sys_admin, + + @{exec_path} mr, + + @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/swaps r, + + /dev/fuse rw, + + # Mount points + /media/*/ r, + /media/*/*/ r, + /mnt/ r, + /mnt/*/ r, + + # Allow to mount ntfs disks only under the /media/ and /mnt/ dirs + mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /media/*/, + mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /media/*/*/, + mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/, + mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/*/, + + # kmod is used to load the fuse kernel module + /{usr/,}bin/kmod rPx, + + #include if exists +} diff --git a/apparmor.d/ntfs-3g-probe b/apparmor.d/ntfs-3g-probe new file mode 100644 index 00000000..2723ea84 --- /dev/null +++ b/apparmor.d/ntfs-3g-probe @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfs-3g.probe +profile ntfs-3g-probe @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/ntfscat b/apparmor.d/ntfscat new file mode 100644 index 00000000..a9cf08e9 --- /dev/null +++ b/apparmor.d/ntfscat @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfscat +profile ntfscat @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsclone b/apparmor.d/ntfsclone new file mode 100644 index 00000000..a0380751 --- /dev/null +++ b/apparmor.d/ntfsclone @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/ntfsclone +profile ntfsclone @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + # A place for backups + @{HOME}/** rwk, + /media/*/** rwk, + + #include if exists +} diff --git a/apparmor.d/ntfscluster b/apparmor.d/ntfscluster new file mode 100644 index 00000000..ab863d6f --- /dev/null +++ b/apparmor.d/ntfscluster @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfscluster +profile ntfscluster @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfscmp b/apparmor.d/ntfscmp new file mode 100644 index 00000000..0fe0870b --- /dev/null +++ b/apparmor.d/ntfscmp @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfscmp +profile ntfscmp @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfscp b/apparmor.d/ntfscp new file mode 100644 index 00000000..a88f021f --- /dev/null +++ b/apparmor.d/ntfscp @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/ntfscp +profile ntfscp @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + # For writing files owned by users other than root, since ntfscp has to be started as root. + capability dac_read_search, + @{HOME}/[dD]ownload{,s}/ r, + @{HOME}/[dD]ownload{,s}/** rwl -> @{HOME}/[dD]ownload{,s}/**, + @{HOME}/[dD]esktop/ r, + @{HOME}/[dD]esktop/** rwl -> @{HOME}/[dD]esktop/**, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsdecrypt b/apparmor.d/ntfsdecrypt new file mode 100644 index 00000000..1909dbd9 --- /dev/null +++ b/apparmor.d/ntfsdecrypt @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfsdecrypt +profile ntfsdecrypt @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + # Common locations of the key + owner /tmp/*.key r, + owner @{HOME}/*.key r, + + #include if exists +} diff --git a/apparmor.d/ntfsfallocate b/apparmor.d/ntfsfallocate new file mode 100644 index 00000000..04c6a767 --- /dev/null +++ b/apparmor.d/ntfsfallocate @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfsfallocate +profile ntfsfallocate @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsfix b/apparmor.d/ntfsfix new file mode 100644 index 00000000..0bb2e87b --- /dev/null +++ b/apparmor.d/ntfsfix @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfsfix +profile ntfsfix @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsinfo b/apparmor.d/ntfsinfo new file mode 100644 index 00000000..0d310537 --- /dev/null +++ b/apparmor.d/ntfsinfo @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfsinfo +profile ntfsinfo @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfslabel b/apparmor.d/ntfslabel new file mode 100644 index 00000000..d830a4e8 --- /dev/null +++ b/apparmor.d/ntfslabel @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/ntfslabel +profile ntfslabel @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsls b/apparmor.d/ntfsls new file mode 100644 index 00000000..9614213b --- /dev/null +++ b/apparmor.d/ntfsls @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfsls +profile ntfsls @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsmove b/apparmor.d/ntfsmove new file mode 100644 index 00000000..d990cce6 --- /dev/null +++ b/apparmor.d/ntfsmove @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfsmove +profile ntfsmove @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsrecover b/apparmor.d/ntfsrecover new file mode 100644 index 00000000..61ff6c18 --- /dev/null +++ b/apparmor.d/ntfsrecover @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfsrecover +profile ntfsrecover @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsresize b/apparmor.d/ntfsresize new file mode 100644 index 00000000..20a41002 --- /dev/null +++ b/apparmor.d/ntfsresize @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/ntfsresize +profile ntfsresize @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfssecaudit b/apparmor.d/ntfssecaudit new file mode 100644 index 00000000..0ff4e42c --- /dev/null +++ b/apparmor.d/ntfssecaudit @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfssecaudit +profile ntfssecaudit @{exec_path} { + #include + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfstruncate b/apparmor.d/ntfstruncate new file mode 100644 index 00000000..77695d6a --- /dev/null +++ b/apparmor.d/ntfstruncate @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfstruncate +profile ntfstruncate @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/ntfsundelete b/apparmor.d/ntfsundelete new file mode 100644 index 00000000..26d50ead --- /dev/null +++ b/apparmor.d/ntfsundelete @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/ntfsundelete +profile ntfsundelete @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + # The recovery dir + owner /tmp/ntfs-recovery/ r, + owner /tmp/ntfs-recovery/* rw, + + #include if exists +} diff --git a/apparmor.d/ntfsusermap b/apparmor.d/ntfsusermap new file mode 100644 index 00000000..26111eb8 --- /dev/null +++ b/apparmor.d/ntfsusermap @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfsusermap +profile ntfsusermap @{exec_path} { + #include + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + # Where to save the UserMapping file + owner /root/UserMapping w, + owner /tmp/UserMapping w, + + #include if exists +} diff --git a/apparmor.d/ntfswipe b/apparmor.d/ntfswipe new file mode 100644 index 00000000..0e0ad9c1 --- /dev/null +++ b/apparmor.d/ntfswipe @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ntfswipe +profile ntfswipe @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/numlockx b/apparmor.d/numlockx new file mode 100644 index 00000000..e6261432 --- /dev/null +++ b/apparmor.d/numlockx @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/numlockx +profile numlockx @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/nvidia_modprobe b/apparmor.d/nvidia_modprobe new file mode 100644 index 00000000..01f714ca --- /dev/null +++ b/apparmor.d/nvidia_modprobe @@ -0,0 +1,63 @@ +# vim:syntax=apparmor + +#include + +profile nvidia_modprobe { + #include + + # Capabilities + + capability chown, + capability mknod, + capability setuid, + capability sys_admin, + + # Main executable + + /usr/bin/nvidia-modprobe mr, + + # Other executables + + /usr/bin/kmod Cx -> kmod, + + # System files + + /dev/nvidia-uvm w, + /dev/nvidia-uvm-tools w, + @{sys}/bus/pci/devices/ r, + @{sys}/devices/pci[0-9]*/**/config r, + @{PROC}/devices r, + @{PROC}/modules r, + @{PROC}/sys/kernel/modprobe r, + + # Child profiles + + profile kmod { + #include + + # Capabilities + + capability sys_module, + + # Main executable + + /usr/bin/kmod mrix, + + # Other executables + + /{,usr/}bin/{,ba,da}sh ix, + + # System files + + /etc/modprobe.d/{,*.conf} r, + /etc/nvidia/current/*.conf r, + @{sys}/module/ipmi_devintf/initstate r, + @{sys}/module/ipmi_msghandler/initstate r, + @{sys}/module/nvidia/initstate r, + @{PROC}/cmdline r, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} + diff --git a/apparmor.d/obamenu b/apparmor.d/obamenu new file mode 100644 index 00000000..4c8567f0 --- /dev/null +++ b/apparmor.d/obamenu @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/obamenu +profile obamenu @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* rix, + + /{usr/,}bin/ r, + + /usr/share/applications/ r, + /usr/share/applications/*.desktop r, + /usr/share/pixmaps/ r, + /usr/share/*/*.desktop r, + + #include if exists +} diff --git a/apparmor.d/obconf b/apparmor.d/obconf new file mode 100644 index 00000000..030130b3 --- /dev/null +++ b/apparmor.d/obconf @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/obconf +profile obconf @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /usr/share/obconf/{,*} r, + + /etc/xdg/openbox/rc.xml r, + + owner @{HOME}/.config/openbox/rc.xml rw, + + owner @{HOME}/.themes/{,**} r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/obxprop b/apparmor.d/obxprop new file mode 100644 index 00000000..9d50727b --- /dev/null +++ b/apparmor.d/obxprop @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/obxprop +profile obxprop @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + owner @{HOME}/.icons/default/index.theme r, + /usr/share/icons/*/cursors/crosshair r, + + #include if exists +} diff --git a/apparmor.d/okular b/apparmor.d/okular new file mode 100644 index 00000000..ecb25b05 --- /dev/null +++ b/apparmor.d/okular @@ -0,0 +1,121 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{okular_ext} = [pP][dD][fF] + +@{exec_path} = /{usr/,}bin/okular +profile okular @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Which media files Okular should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + /tmp/ r, + /tmp/mozilla_*/ r, + owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw, + + owner @{HOME}/.config/#[0-9]*[0-9] rw, + + owner @{HOME}/.config/okularrc rw, + owner @{HOME}/.config/okularrc.lock rwk, + owner @{HOME}/.config/okularrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + + owner @{HOME}/.config/okularpartrc rw, + owner @{HOME}/.config/okularpartrc.lock rwk, + owner @{HOME}/.config/okularpartrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + + owner @{HOME}/.config/kdeglobals r, + owner @{HOME}/.config/kwalletrc r, + + owner @{HOME}/.local/share/okular/{,**} rw, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/okular/{,**} rw, + + /usr/share/okular/{,**} r, + /usr/share/kxmlgui5/okular/{,*} r, + + /usr/share/poppler/** r, + /usr/share/hwdata/pnp.ids r, + + /etc/xdg/ui/ui_standards.rc r, + + @{PROC}/sys/kernel/core_pattern r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, + + /dev/shm/#[0-9]*[0-9] rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Search phrase in google + /{usr/,}bin/xdg-open rCx -> open, + /usr/share/kservices5/searchproviders/{,*.desktop} r, + /usr/share/kservices5/{,*.protocol} r, + /etc/xdg/kshorturifilterrc r, + + # Print to pdf + /{usr/,}bin/ps2pdf rPUx, + owner /tmp/[0-9a-f]* rw, + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9], + + # About + /usr/share/kf5/licenses/GPL_V2 r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/on-ac-power b/apparmor.d/on-ac-power new file mode 100644 index 00000000..64907d27 --- /dev/null +++ b/apparmor.d/on-ac-power @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/on_ac_power /{usr/,}bin/on_ac_power +profile on-ac-power @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/awk rix, + /{usr/,}bin/cat rix, + + @{sys}/class/power_supply/ r, + @{sys}/devices/**/power_supply/**/{online,type} r, + + @{PROC}/pmu/info r, + @{PROC}/apm r, + + #include if exists +} diff --git a/apparmor.d/openbox b/apparmor.d/openbox new file mode 100644 index 00000000..a43855e0 --- /dev/null +++ b/apparmor.d/openbox @@ -0,0 +1,89 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/openbox +profile openbox @{exec_path} { + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill), + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/openbox-autostart rCx -> autostart, + + # Apps allowed to run + /{usr/,}sbin/* rPUx, + /{usr/,}bin/* rPUx, + /usr/libexec/* rPUx, + + /usr/share/themes/*/openbox-3/themerc r, + + /etc/xdg/openbox/* r, + + owner @{HOME}/ r, + owner @{HOME}/.config/openbox/* r, + + owner @{HOME}/.config/obmenu-generator/icons/[0-9a-f]*.png r, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/openbox/ rw, + owner @{HOME}/.cache/openbox/openbox.log rw, + + owner @{HOME}/.Xauthority r, + + owner @{PROC}/@{pid}/fd/ r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile autostart { + #include + + /{usr/,}lib/@{multiarch}/openbox-autostart mr, + /{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/which rix, + + # Apps allowed to run + /{usr/,}bin/* rPUx, + /usr/libexec/* rPUx, + /{usr/,}lib/@{multiarch}/xfce4/*/* rPUx, + /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-1 rPUx, + + /usr/local/lib/python*/dist-packages/ r, + + owner @{HOME}/.config/openbox/autostart r, + /etc/xdg/openbox/autostart r, + + owner @{HOME}/.config/autostart/{,*} r, + /etc/xdg/autostart/{,*} r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + owner /dev/tty[0-9]* rw, + + #include if exists + } + + #include if exists +} diff --git a/apparmor.d/openbox-session b/apparmor.d/openbox-session new file mode 100644 index 00000000..1435d164 --- /dev/null +++ b/apparmor.d/openbox-session @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/openbox-session +profile openbox-session @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/xprop rPx, + /{usr/,}bin/openbox rPx, + + /etc/xdg/openbox/environment r, + owner @{HOME}/.config/openbox/environment r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/openvpn b/apparmor.d/openvpn new file mode 100644 index 00000000..8445f413 --- /dev/null +++ b/apparmor.d/openvpn @@ -0,0 +1,118 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# +# The following profile assumes that: +# openvpn is started as root with dropping privileges +# iptables is used +# config files are stored in: /etc/openvpn/*.{conf,ovpn} +# certs/keys are stored in: /etc/openvpn/certs/*.{key,crt} +# auth credentials are stored in: /etc/openvpn/auth/*.auth +# logs are redirected to: /var/log/openvpn/*.log +# DNS/resolver script is stored in: /etc/openvpn/update-resolv-conf{,.sh} +# If a user wants to type user/pass interactively, systemd-ask-password is invoked for that. + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/openvpn +profile openvpn @{exec_path} { + #include + #include + #include + + capability net_admin, + # These are needed when user/group are set in a OpenVPN config file + capability setuid, + capability setgid, + + @{exec_path} mr, + + # OpenVPN config + /etc/openvpn/*.{conf,ovpn} r, + /etc/openvpn/auth/*.auth r, + /etc/openvpn/certs/*.{key,crt} r, + + /var/log/openvpn/*.log w, + + /{,var/}run/openvpn/*.{pid,status} rw, + + /{usr/,}bin/ip rix, + /{usr/,}bin/systemd-ask-password rCx -> systemd-ask-password, + /etc/openvpn/update-resolv-conf{,.sh} rCx -> update-resolv, + /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, + + /dev/net/tun rw, + + owner @{PROC}/@{pid}/net/route r, + + + profile systemd-ask-password { + #include + #include + + /{usr/,}bin/systemd-ask-password mr, + + @{PROC}/filesystems r, + owner @{PROC}/@{pid}/stat r, + + } + + profile update-resolv { + #include + #include + #include + + capability net_admin, + + /etc/openvpn/update-resolv-conf.sh r, + + /{usr/,}bin/bash rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/which rix, + /{usr/,}bin/ip rix, + /{usr/,}sbin/xtables-nft-multi rix, + + /etc/iproute2/rt_tables r, + /etc/iproute2/rt_tables.d/ r, + + } + + profile force-user-traffic-via-vpn { + #include + #include + #include + + capability net_admin, + + /etc/openvpn/force-user-traffic-via-vpn.sh r, + + /{usr/,}bin/dash rix, + #/{usr/,}bin/bash rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/ip rix, + /{usr/,}sbin/nft rix, + /{usr/,}bin/env rix, + + /etc/iproute2/rt_realms r, + /etc/iproute2/group r, + /etc/iproute2/rt_tables.d/ r, + /etc/iproute2/rt_tables rw, + /etc/iproute2/sed* rw, + + owner @{PROC}/sys/net/ipv{4,}/route/flush w, + + } + + #include if exists +} diff --git a/apparmor.d/opera b/apparmor.d/opera new file mode 100644 index 00000000..2a6f3272 --- /dev/null +++ b/apparmor.d/opera @@ -0,0 +1,195 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer} +@{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer} +@{OPERA_CACHEDIR} = @{HOME}/.cache/opera{,-beta,-developer} + +@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer} +profile opera @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + ptrace (trace) peer=@{profile_name}, + + signal (send) set=(term, kill) peer=opera-sandbox, + signal (send) set=(term, kill) peer=keepassxc-proxy, + + @{exec_path} mrix, + + /{usr/,}bin/which rix, + + @{OPERA_INSTALLDIR}/opera_sandbox rPx, + @{OPERA_INSTALLDIR}/opera_crashreporter rPx, + @{OPERA_INSTALLDIR}/opera_autoupdate krix, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-mime rPUx, + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-settings rPUx, + /{usr/,}bin/xdg-desktop-menu rPUx, + /{usr/,}bin/xdg-icon-resource rPUx, + + # To remove the following error: + # Error initializing NSS with a persistent database + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + # Opera home files + owner @{HOME}/ r, + owner @{OPERA_HOMEDIR}/ rw, + owner @{OPERA_HOMEDIR}/** rwk, + + owner @{HOME}/.local/share/.org.chromium.Chromium.* rw, + + # Cache files + owner @{HOME}/.cache/ rw, + owner @{OPERA_CACHEDIR}/{,**/} rw, + owner @{OPERA_CACHEDIR}/**/{*-,}index rw, + owner @{OPERA_CACHEDIR}/**/[a-f0-9]*_? rw, + owner @{OPERA_CACHEDIR}/**/todelete_* rw, + + # For importing data (bookmarks, cookies, etc) from Firefox + owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox/*/ r, + owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/logins.json r, + # For importing data from Chromium + owner "@{HOME}/.config/chromium/Local State" r, + owner @{HOME}/.config/chromium/Singleton{Lock,Socket,Cookie} w, + owner "@{HOME}/.config/chromium/*/Login Data{,-journal}" rwk, + owner @{HOME}/.config/chromium/*/ r, + owner @{HOME}/.config/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + + # Flashplayer + owner @{HOME}/.config/google-chrome{,-beta,-unstable}/PepperFlash/**/manifest.json r, + owner @{HOME}/.config/google-chrome{,-beta,-unstable}/PepperFlash/latest-component-updated-flash r, + owner @{HOME}/.config/google-chrome{,-beta,-unstable}/PepperFlash/**/libpepflashplayer.so mr, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Needed or opera crashes with the following error: + # illegal hardware instruction + @{PROC}/ r, + # + deny @{PROC}/vmstat r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/@{pid}/fd/ r, + deny @{PROC}/@{pids}/stat r, + deny @{PROC}/@{pids}/statm r, + # To remove the following error: + # Failed to adjust OOM score of renderer with pid : Permission denied + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + # + deny owner @{PROC}/@{pids}/cmdline r, + deny owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pid}/task/ r, + deny @{PROC}/@{pids}/task/@{tid}/stat r, + deny @{PROC}/@{pids}/task/@{tid}/status r, + deny owner @{PROC}/@{pid}/limits r, + deny owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/fs/inotify/max_user_watches r, + + owner /dev/shm/.org.chromium.Chromium.* rw, + + # To play DRM media (protected content) + /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr, + /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Udev enumeration + @{sys}/bus/ r, + @{sys}/bus/**/devices/ r, + @{sys}/devices/**/uevent r, + @{sys}/class/ r, + @{sys}/class/**/ r, + /{,var/}run/udev/data/* r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + + deny @{sys}/devices/virtual/tty/tty[0-9]/active r, + + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + # The irq file is needed to render pages. + @{sys}/devices/pci[0-9]*/**/irq r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/.org.chromium.Chromium.* rw, + owner /tmp/.org.chromium.Chromium.*/{,*} rw, + + # For installing/updating extensions + owner /tmp/scoped_dir*/{,**} rw, + + # For crashreporter + owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw, + + /dev/ r, + + # Silencer + deny @{OPERA_INSTALLDIR}/** w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/opera-crashreporter b/apparmor.d/opera-crashreporter new file mode 100644 index 00000000..9f688a89 --- /dev/null +++ b/apparmor.d/opera-crashreporter @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer} +@{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer} +@{OPERA_CACHEDIR} = @{HOME}/.cache/opera{,-beta,-developer} + +@{exec_path} = @{OPERA_INSTALLDIR}/opera_crashreporter +profile opera-crashreporter @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + ptrace (trace, read) peer=opera, + + @{exec_path} mr, + + owner @{OPERA_HOMEDIR}/crash_count.txt rwk, + owner @{OPERA_HOMEDIR}/GPUCache/index r, + owner @{OPERA_HOMEDIR}/GPUCache/data_* r, + + deny owner @{PROC}/@{pids}/cmdline r, + deny owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, + + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + + #include if exists +} diff --git a/apparmor.d/opera-sandbox b/apparmor.d/opera-sandbox new file mode 100644 index 00000000..6319676c --- /dev/null +++ b/apparmor.d/opera-sandbox @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer} +@{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer} +@{OPERA_CACHEDIR} = @{HOME}/.cache/opera{,-beta,-developer} + +@{exec_path} = @{OPERA_INSTALLDIR}/opera_sandbox +profile opera-sandbox @{exec_path} { + #include + #include + #include + #include + + # For kernel unprivileged user namespaces + capability sys_admin, + capability sys_chroot, + capability setuid, + capability setgid, + + # optional + capability sys_resource, + + signal (receive) set=(term, kill) peer=opera, + + @{exec_path} mr, + + @{OPERA_INSTALLDIR}/opera{,-beta,-developer} rPx, + + @{PROC}/@{pids}/ r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + #include if exists +} diff --git a/apparmor.d/orage b/apparmor.d/orage new file mode 100644 index 00000000..5b584b03 --- /dev/null +++ b/apparmor.d/orage @@ -0,0 +1,70 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/orage +profile orage @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/globaltime rPx, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/exo-open rCx -> open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + owner @{HOME}/.config/orage/ rw, + owner @{HOME}/.config/orage/* rw, + + owner @{HOME}/.local/share/orage/ rw, + owner @{HOME}/.local/share/orage/* rwk, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/pacmd b/apparmor.d/pacmd new file mode 100644 index 00000000..f903af48 --- /dev/null +++ b/apparmor.d/pacmd @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pacmd +profile pacmd @{exec_path} { + #include + #include + #include + #include + + #capability sys_ptrace, + ptrace peer=pulseaudio, + + signal (send) peer=pulseaudio, + + /{usr/,}bin/pacmd mr, + + owner @{PROC}/@{pids}/stat r, + + #include if exists +} diff --git a/apparmor.d/pactl b/apparmor.d/pactl new file mode 100644 index 00000000..0e45b194 --- /dev/null +++ b/apparmor.d/pactl @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pactl +profile pactl @{exec_path} { + #include + #include + #include + #include + + /{usr/,}bin/pactl mr, + + owner @{HOME}/.Xauthority r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{HOME}/.config/pulse/ rw, + + # file_inherit + owner @{HOME}/.xsession-errors w, + owner @{HOME}/.anyRemote/anyremote.stdout w, + + #include if exists +} diff --git a/apparmor.d/pagesize b/apparmor.d/pagesize new file mode 100644 index 00000000..33861dc2 --- /dev/null +++ b/apparmor.d/pagesize @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pagesize +profile pagesize @{exec_path} { + #include + + @{exec_path} mr, + + # For HugePages + @{sys}/kernel/mm/hugepages/ r, + + #include if exists +} diff --git a/apparmor.d/pam-auth-update b/apparmor.d/pam-auth-update new file mode 100644 index 00000000..555ed933 --- /dev/null +++ b/apparmor.d/pam-auth-update @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/pam-auth-update +profile pam-auth-update @{exec_path} flags=(complain) { + #include + #include + #include + + @{exec_path} mr, + /{usr/,}bin/perl r, + + /{usr/,}bin/md5sum rix, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + /etc/pam.d/* rw, + /var/lib/pam/* rw, + /usr/share/pam{,-configs}/{,*} r, + + + profile frontend flags=(complain) { + #include + #include + #include + #include + + /usr/share/debconf/frontend r, + /{usr/,}bin/perl r, + + /{usr/,}sbin/pam-auth-update rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + # The following is needed when debconf uses GUI frontends. + #include + #include + #include + #include + capability dac_read_search, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/hostname rPx, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + /etc/shadow r, + + } + + #include if exists +} diff --git a/apparmor.d/pam/mappings b/apparmor.d/pam/mappings new file mode 100644 index 00000000..9ce90c0b --- /dev/null +++ b/apparmor.d/pam/mappings @@ -0,0 +1,76 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# +# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example + +# +# This file contains the mappings from users to roles for the binaries +# confined with AppArmor and configured for use with libpam-apparmor. Users +# without a mapping will not be able to login. +# +# The default hat is a confined user. The hat contains only the permissions +# necessary to transition to the user's login shell. All other permissions have +# been moved into the default_user profile. +^DEFAULT { + #include + #include + capability dac_override, + capability setgid, + capability setuid, + /etc/default/su r, + /etc/environment r, + @{HOMEDIRS}/.xauth* w, + /{usr/,}bin/{,b,d,rb}ash Px -> default_user, + /{usr/,}bin/{c,k,tc,z}sh Px -> default_user, +} + +# morfik is a confined user. The hat contains only the permissions necessary +# to transition to gray's login shell. All other permissions have been +# moved into the confined_user profile. +^morfik { + #include + #include + + capability dac_override, + capability audit_write, + capability setgid, + capability setuid, + + /{usr/,}bin/{,b,d,rb}ash Px -> confined_user, + /{usr/,}bin/{c,k,tc,z}sh Px -> confined_user, + + /etc/default/su r, + /etc/environment r, + @{HOMEDIRS}/.xauth* w, + +} + +# Don't confine members whose primary group is 'admin' who are not specifically +# confined. Systems without this special primary group may want to define an +# unconfined 'root' hat in this manner (depending on site policy). +^root { + #include + #include + #include + + capability dac_override, + capability audit_write, + capability setgid, + capability setuid, + + /{usr/,}bin/{,b,d,rb}ash Ux, + /{usr/,}bin/{c,k,tc,z}sh Ux, + + /etc/default/su r, + /etc/environment r, + @{HOMEDIRS}/.xauth* w, + +} diff --git a/apparmor.d/pam_roles b/apparmor.d/pam_roles new file mode 100644 index 00000000..5ac7a703 --- /dev/null +++ b/apparmor.d/pam_roles @@ -0,0 +1,59 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# +# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example + +# +# This file contains the roles as referenced by pam/mappings +# + +#abi , + +#include + +# By default, allow users to read, lock and link to their own files anywhere, +# but only write to files in their home directory. Only allow limited execution +# of files. +profile default_user flags=(complain) { + #include + #include + #include + #include + + deny capability sys_ptrace, + + /{usr/,}bin/** Pixmr, + + owner /** rkl, + @{PROC}/** r, + + owner @{HOMEDIRS}/ w, + owner @{HOMEDIRS}/** w, + +} + +# Allow confined_users to read, write, lock and link to their own files +# anywhere, and execute from some places. +profile confined_user flags=(complain) { + #include + #include + #include + #include + + deny capability sys_ptrace, + + /{usr/,}bin/** Pixmr, + owner @{HOMEDIRS}/bin/** ixmr, + + owner /** rwkl, + @{PROC}/** r, + +} diff --git a/apparmor.d/parted b/apparmor.d/parted new file mode 100644 index 00000000..fbf5f4d1 --- /dev/null +++ b/apparmor.d/parted @@ -0,0 +1,87 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/parted +profile parted @{exec_path} { + #include + #include + + # Needed to inform the system of newly created/removed partitions + # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) + # + # Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the + # kernel of the change, probably because it/they are in use. As a result, the old partition(s) + # will remain in use. You should reboot now before making further changes. + capability sys_admin, + + # Needed? (#FIXME#) + capability sys_rawio, + + # Needed? + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/udevadm rCx -> udevadm, + + /{usr/,}sbin/dmidecode rPx, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + @{PROC}/devices r, + + /dev/mapper/ r, + /dev/mapper/control rw, + + /etc/inputrc r, + + # Image files + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + + profile udevadm { + #include + + ptrace (read), + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/1/cgroup r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + # file_inherit + #include # lots of files in this abstraction get inherited + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + } + + #include if exists +} diff --git a/apparmor.d/partprobe b/apparmor.d/partprobe new file mode 100644 index 00000000..49d48dc1 --- /dev/null +++ b/apparmor.d/partprobe @@ -0,0 +1,75 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/partprobe +profile partprobe @{exec_path} { + #include + #include + + # To remove the following errors: + # device-mapper: version ioctl on failed: Permission denied + # Incompatible libdevmapper 1.02.167 (2019-11-30) and kernel driver (unknown version). + capability sys_admin, + + # To remove the following errors: + # kernel: device-mapper: core: partprobe: sending ioctl 1261 to DM device without required + # privilege. + capability sys_rawio, + + # Needed? + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/udevadm rCx -> udevadm, + + /{usr/,}sbin/dmidecode rPx, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + @{PROC}/devices r, + + /dev/mapper/ r, + /dev/mapper/control rw, + + + profile udevadm { + #include + + ptrace (read), + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/1/cgroup r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + # file_inherit + #include # lots of files in this abstraction get inherited + /dev/mapper/control rw, + + } + + #include if exists +} diff --git a/apparmor.d/passwd b/apparmor.d/passwd new file mode 100644 index 00000000..f3fa1a93 --- /dev/null +++ b/apparmor.d/passwd @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/passwd +profile passwd @{exec_path} { + #include + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/. + # Since passwd reads and writes from /etc/ directory, the write permissions are requried by it. + # Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and + # renames /etc/nshadow to /etc/shadow. + capability chown, + capability fsetid, + + # passwd is a SETUID binary, but it looks like it doesn't want this CAP. + #capability setuid, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/loginuid r, + + /etc/shadow rw, + /etc/nshadow rw, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + #include if exists +} diff --git a/apparmor.d/pavucontrol b/apparmor.d/pavucontrol new file mode 100644 index 00000000..10433e09 --- /dev/null +++ b/apparmor.d/pavucontrol @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pavucontrol +profile pavucontrol @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Pavucontrol files + /usr/share/pavucontrol/pavucontrol.glade r, + + # Pavucontrol config files + owner @{HOME}/.config/pavucontrol.ini* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{PROC}/@{pid}/cmdline r, + + # Missing icons + /usr/share/**/icons/**/*.png r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/pinentry-gtk-2 b/apparmor.d/pinentry-gtk-2 new file mode 100644 index 00000000..e011bd10 --- /dev/null +++ b/apparmor.d/pinentry-gtk-2 @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pinentry-gtk-2 +profile pinentry-gtk-2 @{exec_path} { + #include + #include + #include + #include + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/pinentry-kwallet b/apparmor.d/pinentry-kwallet new file mode 100644 index 00000000..949df6da --- /dev/null +++ b/apparmor.d/pinentry-kwallet @@ -0,0 +1,60 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pinentry-kwallet +profile pinentry-kwallet @{exec_path} { + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=gpg-agent, + + @{exec_path} mr, + + /{usr/,}bin/pinentry-* rPx, + + /{usr/,}bin/kwalletcli_getpin rix, + /{usr/,}bin/kwalletcli rCx -> kwalletcli, + + # when wrong PIN is provided + /{usr/,}bin/date rix, + + /{usr/,}bin/mksh rix, + /{usr/,}bin/env rix, + + owner @{HOME}/.Xauthority r, + + /usr/share/hwdata/pnp.ids r, + + + profile kwalletcli { + #include + + /{usr/,}bin/kwalletcli mr, + + owner @{HOME}/.config/kdeglobals r, + owner @{HOME}/.config/kwalletrc r, + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + + owner @{HOME}/.Xauthority r, + + /usr/share/hwdata/pnp.ids r, + + } + + #include if exists +} diff --git a/apparmor.d/pinentry-qt b/apparmor.d/pinentry-qt new file mode 100644 index 00000000..a86b3edd --- /dev/null +++ b/apparmor.d/pinentry-qt @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pinentry-qt +profile pinentry-qt @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/cmdline r, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{HOME}/.cache/#[0-9]*[0-9] rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /dev/shm/#[0-9]*[0-9] rw, + + /usr/share/hwdata/pnp.ids r, + + #include if exists +} diff --git a/apparmor.d/pkexec b/apparmor.d/pkexec new file mode 100644 index 00000000..58678198 --- /dev/null +++ b/apparmor.d/pkexec @@ -0,0 +1,60 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pkexec +profile pkexec @{exec_path} flags=(complain) { + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=polkit-agent-helper, + + capability sys_ptrace, + capability audit_write, + + # gdbus + capability setgid, + # gmain + capability setuid, + + # Needed? + deny capability sys_nice, + + ptrace (read), + + @{exec_path} mr, + + /etc/shells r, + /etc/environment r, + /etc/default/locale r, + + @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pid}/fd/ r, + + # Apps to be run via pkexec + /{usr/,}sbin/* rPUx, + /{usr/,}bin/* rPUx, + /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) + + /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/polipo b/apparmor.d/polipo new file mode 100644 index 00000000..672b8be1 --- /dev/null +++ b/apparmor.d/polipo @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/polipo +profile polipo @{exec_path} { + #include + + @{exec_path} mr, + + /etc/polipo/* r, + + owner /var/log/polipo/ r, + owner /var/log/polipo/polipo.log w, + + # Cache dir + owner /var/cache/polipo/{,*} rw, + owner @{HOME}/.polipo-cache/{,*} rw, + + # Nameservice + /etc/resolv.conf r, + + #include if exists +} diff --git a/apparmor.d/polkit-agent-helper b/apparmor.d/polkit-agent-helper new file mode 100644 index 00000000..0dd3fe98 --- /dev/null +++ b/apparmor.d/polkit-agent-helper @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] +profile polkit-agent-helper @{exec_path} { + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, + signal (receive) set=(term, kill) peer=pkexec, + + capability setgid, + capability setuid, + + capability audit_write, + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/polkit-kde-authentication-agent b/apparmor.d/polkit-kde-authentication-agent new file mode 100644 index 00000000..f68b79dc --- /dev/null +++ b/apparmor.d/polkit-kde-authentication-agent @@ -0,0 +1,62 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/polkit-kde-authentication-agent-[0-9] +profile polkit-kde-authentication-agent @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=polkit-agent-helper, + + @{exec_path} mr, + + /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/core_pattern r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/hwdata/pnp.ids r, + + owner @{HOME}/.config/kdeglobals r, + owner @{HOME}/.cache/icon-cache.kcache rw, + + /dev/shm/#[0-9]*[0-9] rw, + + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#[0-9]*[0-9], + + #include if exists +} diff --git a/apparmor.d/polkit-mate-authentication-agent b/apparmor.d/polkit-mate-authentication-agent new file mode 100644 index 00000000..1e1064bb --- /dev/null +++ b/apparmor.d/polkit-mate-authentication-agent @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9] +profile polkit-mate-authentication-agent @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=polkit-agent-helper, + + @{exec_path} mr, + + /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/polkitd b/apparmor.d/polkitd new file mode 100644 index 00000000..fda4ea12 --- /dev/null +++ b/apparmor.d/polkitd @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/polkit-1/polkitd +profile polkitd @{exec_path} { + #include + #include + + # Tu run as polkitd:nogroup + capability setuid, + capability setgid, + + # What's this for? + capability net_admin, + + @{exec_path} mr, + + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/cgroup r, + + # System rules + /etc/polkit-1/rules.d/{,[0-9][0-9]-*.rules} r, + + # Vendor rules + /usr/share/polkit-1/rules.d/{,*.rules} r, + + # Vendor policies + /usr/share/polkit-1/actions/{,*.policy} r, + + owner /var/lib/polkit-1/.cache/ rw, + + /{,var/}run/systemd/sessions/* r, + /{,var/}run/systemd/users/[0-9]* r, + + #include if exists +} diff --git a/apparmor.d/popcon-largest-unused b/apparmor.d/popcon-largest-unused new file mode 100644 index 00000000..0a77f5f7 --- /dev/null +++ b/apparmor.d/popcon-largest-unused @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/popcon-largest-unused +profile popcon-largest-unused @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/xargs rix, + + /{usr/,}bin/apt-cache rPx, + + /var/log/popularity-contest r, + + owner @{PROC}/@{pid}/fd/ r, + + #include if exists +} diff --git a/apparmor.d/popularity-contest b/apparmor.d/popularity-contest new file mode 100644 index 00000000..25dce784 --- /dev/null +++ b/apparmor.d/popularity-contest @@ -0,0 +1,56 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/popularity-contest +profile popularity-contest @{exec_path} { + #include + #include + #include + + # For popularity-contest --su-nobody + capability setuid, + capability setgid, + + capability sys_ptrace, + ptrace (read), + + capability dac_read_search, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/env rix, + + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, + + /etc/popularity-contest.conf r, + + /etc/dpkg/origins/debian r, + + /etc/shadow r, + + /var/lib/dpkg/info/{,*.list} r, + + @{PROC}/ r, + + # file_inherit + /var/log/popularity-contest.new w, + /tmp/#[0-9]*[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/ps b/apparmor.d/ps new file mode 100644 index 00000000..3567009c --- /dev/null +++ b/apparmor.d/ps @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# When any of the "*ns" parameters is used, the following error will be printed: +# "Failed name lookup - disconnected path" error=-13 profile="ps" name="". +@{exec_path} = /{usr/,}bin/ps +profile ps @{exec_path} flags=(attach_disconnected) { + #include + #include + #include + + # To be able to read the /proc/ files of all processes in the system. + capability dac_read_search, + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + # The "/proc/" dir is needed to avoid the following error: + # error: can not access /proc + # The "stat" file is needed to avoid the following error: + # Error, do this: mount -t proc proc /proc + # The "uptime" file is needed to avoid the following error: + # Error: /proc must be mounted + + @{PROC}/ r, + + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + + @{PROC}/@{pids}/wchan r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/loginuid r, + + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, + + /{var/,}run/systemd/sessions/[0-9]* r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{sys}/devices/system/node/node[0-9]*/cpumap r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/ps-mem b/apparmor.d/ps-mem new file mode 100644 index 00000000..b1d86c7b --- /dev/null +++ b/apparmor.d/ps-mem @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ps_mem +profile ps-mem @{exec_path} { + #include + #include + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + + @{PROC}/ r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/smaps_rollup r, + @{PROC}/@{pids}/cmdline r, + # For the "--swap" flag + @{PROC}/@{pid}/smaps r, + + #include if exists +} diff --git a/apparmor.d/pscap b/apparmor.d/pscap new file mode 100644 index 00000000..608e3394 --- /dev/null +++ b/apparmor.d/pscap @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pscap +profile pscap @{exec_path} { + #include + #include + #include + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + + #include if exists +} diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus new file mode 100644 index 00000000..eb9a3cca --- /dev/null +++ b/apparmor.d/psi-plus @@ -0,0 +1,153 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/psi-plus +profile psi-plus @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=child-lsb_release, + + @{exec_path} mr, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-open rCx -> open, + + # Needed for GPG/PGP support + /{usr/,}bin/gpg rCx -> gpg, + + # Needed for playing sound events + /{usr/,}bin/aplay rCx -> aplay, + + # PSI files + /usr/share/psi-plus/{,**} r, + + # PSI config files + owner @{HOME}/ r, + owner @{HOME}/.config/psi+/ rw, + owner @{HOME}/.config/psi+/** rwkl -> @{HOME}/.config/psi+/#[0-9]*[0-9], + + owner @{HOME}/.local/share/psi+/ rw, + owner @{HOME}/.local/share/psi+/** rwk, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + # Cache files + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/psi+/{,**} rw, + owner @{HOME}/.cache/#[0-9]*[0-9] rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Autostart + owner @{HOME}/.config/autostart/psi-plus.desktop rw, + + /etc/debian_version r, + + /dev/shm/#[0-9]*[0-9] rw, + + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + owner /var/tmp/etilqs_[0-9a-f]* rw, + + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9], + + /{var/,}run/systemd/inhibit/[0-9]*.ref rw, + + /usr/share/hwdata/pnp.ids r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile aplay { + #include + #include + + /{usr/,}bin/aplay mr, + #/{usr/,}bin/pulseaudio rPUx, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/psi-plus/sound/** r, + + owner @{HOME}/.Xauthority r, + + # file_inherit + deny /dev/dri/card[0-9]* rw, + + } + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + # file_inherit + deny /dev/dri/card[0-9]* rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/pulseaudio b/apparmor.d/pulseaudio new file mode 100644 index 00000000..d6d07587 --- /dev/null +++ b/apparmor.d/pulseaudio @@ -0,0 +1,87 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/pulseaudio +profile pulseaudio @{exec_path} { + #include + #include + #include + #include + #include + + ptrace (trace) peer=@{profile_name}, + + signal (receive) peer=pacmd, + + @{exec_path} mrix, + + /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, + + # PulseAudio files + /usr/share/pulseaudio/** r, + /{usr/,}lib/pulse-*/modules/*.so mr, + + # PulseAudio home config files + owner @{HOME}/.config/pulse/{,**} rw, + + # Needed when PulseAudio is started via the start-pulseaudio-x11 script + owner @{HOME}/.Xauthority r, + + # TCP wrap + /etc/hosts.{allow,deny} r, + + owner /{,var/}run/user/[0-9]*/ rw, + owner /{,var/}run/user/[0-9]*/pulse/{,*} rw, + + /usr/share/applications/{,**} r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/sound/ r, + @{sys}/devices/**/sound/**/{uevent,pcm_class} r, + /{,var/}run/udev/data/+sound* r, + /{,var/}run/udev/data/c116:[0-9]* r, # For ALSA + + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]/meminfo r, + + /{,var/}run/systemd/users/[0-9]* r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # The orcexec.* file is JIT compiled code for various GStreamer elements. + # If one is blocked the next is used instead. + owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + #owner @{HOME}/orcexec.* mrw, + #owner /tmp/orcexec.* mrw, + + # For SDDM + owner /var/lib/sddm/.config/pulse/ rw, + owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw, + owner /var/lib/sddm/.config/pulse/*-default-{sink,source} rw, + owner /var/lib/sddm/.config/pulse/*-card-database.tdb rw, + owner /var/lib/sddm/.config/pulse/cookie rwk, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/qbittorrent b/apparmor.d/qbittorrent new file mode 100644 index 00000000..c30cc747 --- /dev/null +++ b/apparmor.d/qbittorrent @@ -0,0 +1,171 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{TORRENT_DIR} = /media/*/torrent + +@{exec_path} = /{usr/,}bin/qbittorrent +profile qbittorrent @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=qbittorrent//python3, + + @{exec_path} mr, + + # For "search engine" + /{usr/,}bin/python3.[0-9]* rCx -> python3, + + # Qbittorrent home dirs + owner @{HOME}/.config/qBittorrent/ rw, + owner @{HOME}/.config/qBittorrent/** rwkl -> @{HOME}/.config/qBittorrent/#[0-9]*[0-9], + owner @{HOME}/.local/share/data/qBittorrent/ rw, + owner @{HOME}/.local/share/data/qBittorrent/** rwl -> @{HOME}/.local/share/data/qBittorrent/**/#[0-9]*[0-9], + + # Cache dir + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qBittorrent/{,**} rw, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + # Torrent files + /media/ r, + owner /media/*/ r, + owner @{TORRENT_DIR}/ r, + owner @{TORRENT_DIR}/** rw, + + # GeoIP settings + /usr/share/GeoIP/GeoIP.dat r, + + /dev/disk/by-label/ r, + + /dev/shm/#[0-9]*[0-9] rw, + + owner @{PROC}/@{pid}/fd/ r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # TMP + owner /tmp/qtsingleapp-qBitto-* rw, + owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, + owner /tmp/.qBittorrent/ rw, + owner /tmp/.qBittorrent/#[0-9]*[0-9] rw, + owner /tmp/.qBittorrent/[a-zA-Z]* rwl -> /tmp/.qBittorrent/#[0-9]*[0-9], + owner /tmp/mozilla_*/*.torrent rw, + # To load/add torrents from the search engine + owner /tmp/tmp* rw, + owner /tmp/.*/{,s} rw, + + owner /tmp/xauth-[0-9]*-_[0-9] rw, + + # Launch external apps + /{usr/,}bin/xdg-open rCx -> open, + + # Allowed apps to open + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/vlc rPx, + /{usr/,}bin/mpv rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/ebook-viewer rPx, + /{usr/,}lib/firefox/firefox rPx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile python3 { + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=qbittorrent, + + /{usr/,}bin/python3.[0-9]* r, + + owner @{HOME}/.local/share/data/qBittorrent/nova[0-9]/{,**} rw, + + # Used while searching for torrents + owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9], + owner /dev/shm/* rw, + + # To load/add torrents from the search engine + owner /tmp/[0-9]*[0-9] rw, + owner /tmp/tmp* rw, + + # file_inherit + owner /media/*/torrent/** r, + deny /dev/dri/card[0-9]* rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/dash rix, + + # Allowed apps to open + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/vlc rPx, + /{usr/,}bin/mpv rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/ebook-viewer rPx, + /{usr/,}lib/firefox/firefox rPx, + + # file_inherit + owner /media/*/torrent/** r, + owner /media/*/torrent/**.[0-9a-f]*.parts rw, + owner "/media/*/torrent/**.!qB" rw, + + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/qbittorrent-nox b/apparmor.d/qbittorrent-nox new file mode 100644 index 00000000..cc7f11ab --- /dev/null +++ b/apparmor.d/qbittorrent-nox @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{TORRENT_DIR} = /media/*/torrent + +@{exec_path} = /{usr/,}bin/qbittorrent-nox +profile qbittorrent-nox @{exec_path} { + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Qbittorrent home dirs + owner @{HOME}/.config/qBittorrent/ rw, + owner @{HOME}/.config/qBittorrent/** rwkl -> @{HOME}/.config/qBittorrent/#[0-9]*[0-9], + owner @{HOME}/.local/share/data/qBittorrent/ rw, + owner @{HOME}/.local/share/data/qBittorrent/** rwl -> @{HOME}/.local/share/data/qBittorrent/**/#[0-9]*[0-9], + + # Cache dir + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qBittorrent/{,**} rw, + + # Torrent files + /media/ r, + owner /media/*/ r, + owner @{TORRENT_DIR}/ r, + owner @{TORRENT_DIR}/** rw, + + /dev/disk/by-label/ r, + + /dev/shm/#[0-9]*[0-9] rw, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/mime/mime.cache r, + /usr/share/mime/types r, + owner @{HOME}/.local/share/mime/mime.cache r, + owner @{HOME}/.local/share/mime/types r, + + # TMP + owner /tmp/qtsingleapp-qBitto-* rw, + owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, + owner /tmp/.qBittorrent/ rw, + owner /tmp/.qBittorrent/#[0-9]*[0-9] rw, + owner /tmp/.qBittorrent/[a-zA-Z]* rwl -> /tmp/.qBittorrent/#[0-9]*[0-9], + owner /tmp/mozilla_*/*.torrent rw, + owner /tmp/.*/{,s} rw, + + #include if exists +} diff --git a/apparmor.d/qnapi b/apparmor.d/qnapi new file mode 100644 index 00000000..41c0bf53 --- /dev/null +++ b/apparmor.d/qnapi @@ -0,0 +1,141 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{qnapi_vid_ext} = [aA]{52,[aA][cC],[cC]3} +@{qnapi_vid_ext} += [mM][kK][aA] +@{qnapi_vid_ext} += [fF][lL][aA][cC] +@{qnapi_vid_ext} += [mM][pP][123cC] +@{qnapi_vid_ext} += [oO][gGmM][aA] +@{qnapi_vid_ext} += [wW]{,[aA]}[vV] +@{qnapi_vid_ext} += [wW][mM]{,[aA]} +@{qnapi_vid_ext} += 3[gG]{[2pP],[pP][2pP]} +@{qnapi_vid_ext} += [aA][sS][fF] +@{qnapi_vid_ext} += [aA][vV][iI] +@{qnapi_vid_ext} += [dD][iI][vV][xX] +@{qnapi_vid_ext} += [mM][124][vV] +@{qnapi_vid_ext} += [mM][kKoO][vV] +@{qnapi_vid_ext} += [mM][pP][4aAeEgG] +@{qnapi_vid_ext} += [mM][pP][eE][gG]{,[124]} +@{qnapi_vid_ext} += [oO][gG][gGmMxXvV] +@{qnapi_vid_ext} += [rR][mM]{,[vV][bB]} +@{qnapi_vid_ext} += [wW][eE][bB][mM] +@{qnapi_vid_ext} += [wW][mMtT][vV] +@{qnapi_vid_ext} += [mM][pP]2[tT] + +# Subtitle extensions: +# srt, txt, sub +@{qnapi_txt_ext} = [sS][rR][tT] +@{qnapi_txt_ext} += [tT][xX][tT] +@{qnapi_txt_ext} += [sS][uU][bB] + +@{exec_path} = /{usr/,}bin/qnapi +profile qnapi @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the + # action (stop qnapi), the apps send the term/kill signal to qnapi. + signal (receive) set=(kill, term), + + @{exec_path} mr, + + /{usr/,}bin/7z rix, + /{usr/,}lib/p7zip/7z rix, + + /{usr/,}bin/ffprobe rPUx, + /{usr/,}bin/xdg-open rCx -> open, + + # Movie dirs + /media/ r, + owner /media/*/ r, + owner /media/*/** r, + owner /media/*/**#[0-9]*[0-9] rw, + owner /media/*/**.@{qnapi_vid_ext} r, + owner /media/*/**.@{qnapi_txt_ext} rwl -> /media/*/**/#[0-9]*[0-9], + + owner @{HOME}/ r, + owner @{HOME}/.config/qnapi.ini rw, + owner @{HOME}/.config/qnapi.ini.lock rwk, + owner @{HOME}/.config/qnapi.ini.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + owner @{HOME}/.config/qnapi.ini.mlXXXY rwl -> @{HOME}/.config/#[0-9]*[0-9], + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{HOME}/.cache/ rw, + + /usr/share/hwdata/pnp.ids r, + + /dev/shm/#[0-9]*[0-9] rw, + + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + + /etc/fstab r, + + /tmp/ r, + owner /tmp/QNapi-*-rc wl -> /tmp/#[0-9]*[0-9], + owner /tmp/QNapi-*-rc.lock rwk, + owner /tmp/QNapi.[0-9]*.tmp rw, + owner /tmp/QNapi.[0-9]*[0-9] rw, + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rw, + owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/[0-9a-f]*.@{qnapi_txt_ext} rw, + owner /tmp/*.@{qnapi_txt_ext} rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/qpdfview b/apparmor.d/qpdfview new file mode 100644 index 00000000..8bf7f459 --- /dev/null +++ b/apparmor.d/qpdfview @@ -0,0 +1,123 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Ebooks extensions +# pdf, epub, djvu +@{qpdfview_ext} = [pP][dD][fF] +@{qpdfview_ext} += [eE][pP][uU][bB] +@{qpdfview_ext} += [dD][jJ][vV][uU] + +@{exec_path} = /{usr/,}bin/qpdfview +profile qpdfview @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # For PDF's internal compression + /{usr/,}bin/gzip rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/xz rix, + + /{usr/,}bin/xdg-open rCx -> open, + + # Which media files qpdfview should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + /tmp/ r, + /tmp/mozilla_*/ r, + owner /{home,media,tmp/mozilla_*}/**.@{qpdfview_ext} rw, + + owner @{HOME}/.config/qpdfview/ rw, + owner @{HOME}/.config/qpdfview/* rwkl -> @{HOME}/.config/qpdfview/#[0-9]*[0-9], + + owner @{HOME}/.local/share/qpdfview/ rw, + owner @{HOME}/.local/share/qpdfview/** rwk, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /dev/shm/#[0-9]*[0-9] rw, + + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /usr/share/poppler/** r, + + /usr/share/hwdata/pnp.ids r, + + # Print + owner /tmp/[0-9a-f]* rw, + + # Save as + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/qpdfview.*.pdf rwl -> /tmp/#[0-9]*[0-9], + + /usr/share/djvu/** r, + + # Plugins + #/{usr/,}bin/libqpdfview_ps.so mr, + #/{usr/,}bin/libqpdfview_djvu.so mr, + #/{usr/,}lib/qpdfview/libqpdfview_ps.so mr, + #/{usr/,}lib/qpdfview/libqpdfview_djvu.so mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} + + diff --git a/apparmor.d/qt5ct b/apparmor.d/qt5ct new file mode 100644 index 00000000..a0726c59 --- /dev/null +++ b/apparmor.d/qt5ct @@ -0,0 +1,63 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/qt5ct +profile qt5ct @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.config/qt5ct/ rw, + owner @{HOME}/.config/qt5ct/** rwk, + owner @{HOME}/.config/qt5ct/qt5ct.conf.* rwl -> @{HOME}/.config/qt5ct/#[0-9]*[0-9], + owner @{HOME}/.config/qt5ct/colors/*.conf rwl -> @{HOME}/.config/qt5ct/colors/#[0-9]*[0-9], + + owner @{HOME}/.config/fontconfig/ rw, + owner @{HOME}/.config/fontconfig/** rw, + owner @{HOME}/.config/fontconfig/fonts.conf.back rwl -> @{HOME}/.config/fontconfig/#[0-9]*[0-9], + + owner @{HOME}/.config/kdeglobals r, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/icon-cache.kcache rw, + + /usr/share/qt5ct/** r, + + /usr/share/xsessions/{,*.desktop} r, + + owner @{PROC}/@{pid}/cmdline r, + @{PROC}//sys/kernel/random/boot_id r, + + /etc/X11/cursors/*.theme r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + /dev/shm/#[0-9]*[0-9] rw, + + #include if exists +} diff --git a/apparmor.d/qtchooser b/apparmor.d/qtchooser new file mode 100644 index 00000000..690f6435 --- /dev/null +++ b/apparmor.d/qtchooser @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/qtchooser +profile qtchooser @{exec_path} flags=(complain) { + #include + + @{exec_path} mr, + + /{usr/,}lib/qt5/bin/qdbus rPUx, + /{usr/,}lib/qt5/bin/qmake rPUx, + + /usr/share/qtchooser/{,*.conf} r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/querybts b/apparmor.d/querybts new file mode 100644 index 00000000..424bd77c --- /dev/null +++ b/apparmor.d/querybts @@ -0,0 +1,76 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/querybts +profile querybts @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}sbin/ldconfig rix, + + /{usr/,}bin/xdg-open rCx -> open, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /etc/reportbug.conf r, + owner @{HOME}/.reportbugrc r, + + /etc/mime.types r, + /etc/inputrc r, + + /etc/dpkg/origins/ r, + /etc/dpkg/origins/debian r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + + /etc/fstab r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss new file mode 100644 index 00000000..a2ef6272 --- /dev/null +++ b/apparmor.d/quiterss @@ -0,0 +1,107 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/quiterss +profile quiterss @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # This one is needed when you want to receive sound notifications + ##include + + @{exec_path} mr, + + /{usr/,}bin/xdg-open rCx -> open, + + /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/quiterss/** r, + owner @{HOME}/.config/QuiteRss/ rw, + owner @{HOME}/.config/QuiteRss/** rwkl -> @{HOME}/.config/QuiteRss/**, + owner @{HOME}/.local/share/QuiteRss/ rw, + owner @{HOME}/.local/share/QuiteRss/** rwkl -> @{HOME}/.local/share/QuiteRss/QuiteRss/**, + owner @{HOME}/.cache/QuiteRss/ rw, + owner @{HOME}/.cache/QuiteRss/** rwl -> @{HOME}/.cache/QuiteRss/**, + + owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + + owner @{PROC}/@{pid}/fd/ r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + # The orcexec.* file is JIT compiled code for various GStreamer elements. + # If one is blocked the next is used instead. + owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + #owner @{HOME}/orcexec.* mrw, + #owner /tmp/orcexec.* mrw, + + deny /dev/ r, + /dev/shm/#[0-9]*[0-9] rw, + + owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw, + owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/rdmsr b/apparmor.d/rdmsr new file mode 100644 index 00000000..85a57cb3 --- /dev/null +++ b/apparmor.d/rdmsr @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/rdmsr +profile rdmsr @{exec_path} { + #include + + # To access /dev/cpu/*/msr . + capability sys_rawio, + + @{exec_path} mr, + + owner /dev/cpu/[0-9]*/msr r, + + #include if exists +} diff --git a/apparmor.d/redshift b/apparmor.d/redshift new file mode 100644 index 00000000..02542bd8 --- /dev/null +++ b/apparmor.d/redshift @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Cameron Norman +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/redshift +profile redshift @{exec_path} { + #include + #include + + @{exec_path} mr, + + dbus send + bus=system + path=/org/freedesktop/GeoClue2/Client/[0-9]*[0-9], + + dbus receive + bus=system + path=/org/freedesktop/GeoClue2/Manager, + + # Allow but log any other dbus activity + audit dbus bus=system, + + # Redshift config files + owner @{HOME}/.config/redshift/{,**} rw, + owner @{HOME}/.config/redshift.conf rw, + + owner @{HOME}/.Xauthority r, + owner /tmp/xauth-[0-9]*-_[0-9] r, + + #include if exists +} diff --git a/apparmor.d/repo b/apparmor.d/repo new file mode 100644 index 00000000..a7ff2efe --- /dev/null +++ b/apparmor.d/repo @@ -0,0 +1,82 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/repo +profile repo @{exec_path} flags=(complain) { + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/python2.[0-9]* rix, + + /{usr/,}bin/ r, + /{usr/,}bin/env rix, + /{usr/,}bin/dash rix, + /{usr/,}bin/uname rix, + + /{usr/,}bin/git rix, + /{usr/,}lib/git-core/git rix, + /{usr/,}lib/git-core/git-* rix, + + /{usr/,}bin/curl rCx -> curl, + /{usr/,}bin/gpg rCx -> gpg, + + # Android source dir + owner /media/Android/** rwkl -> /media/Android/**, + owner /media/Android/**/.repo/repo/main.py rix, + + owner @{HOME}/.repoconfig/{,**} rw, + owner @{HOME}/.repo_.gitconfig.json rw, + + owner @{HOME}/.config/git/config r, + owner @{HOME}/.gitconfig r, + + /usr/share/git-core/{,**} r, + + owner /tmp/.git_vtag_tmp* rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + owner /dev/shm/* rw, + owner /dev/shm/sem.mp* rwl -> /dev/shm/*, + + + profile curl flags=(complain) { + #include + #include + #include + #include + + /{usr/,}bin/curl mr, + + } + + profile gpg flags=(complain) { + #include + + /{usr/,}bin/gpg mr, + + owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**, + + } + + #include if exists +} diff --git a/apparmor.d/reportbug b/apparmor.d/reportbug new file mode 100644 index 00000000..dc7c5c1a --- /dev/null +++ b/apparmor.d/reportbug @@ -0,0 +1,123 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/reportbug +profile reportbug @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /usr/share/reportbug/handle_bugscript rix, + + /{usr/,}bin/ r, + /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/dash rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/aa-enabled rix, + /{usr/,}sbin/selinuxenabled rix, + /{usr/,}bin/md5sum rix, + + /{usr/,}bin/debconf-show rPx, + /{usr/,}bin/debsums rPx, + /{usr/,}bin/dlocate rPx, + /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/dpkg-query rPx, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/gpg rCx -> gpg, + + # For sending additional information + /etc/** r, + + /etc/reportbug.conf r, + owner @{HOME}/.reportbugrc r, + + # Think what to do with it (#FIXME#) + /usr/share/bug/*/{control,presubj} r, + /usr/share/bug/* rPUx, + + /{usr/,}lib/python3/dist-packages/pylocales/locales.db rk, + + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/tainted r, + + owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw, + owner /tmp/[a-z0-9]* rw, + owner /var/tmp/*.bug{,~} rw, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + } + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + owner /tmp/reportbug-*-{signed,unsigned}-[0-9]*-[0-9]*-* rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/reprepro b/apparmor.d/reprepro new file mode 100644 index 00000000..5ff17efc --- /dev/null +++ b/apparmor.d/reprepro @@ -0,0 +1,78 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{REPO_DIR} = /media/debuilder/repo +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/reprepro +profile reprepro @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + + owner @{PROC}/@{pid}/fd/ r, + + # The repository dir + owner @{REPO_DIR}/debian/ r, + owner @{REPO_DIR}/debian/conf/{distributions,options} r, + + owner @{REPO_DIR}/debian/db/lockfile rw, + owner @{REPO_DIR}/debian/db/version{,.new} rw, + owner @{REPO_DIR}/debian/db/packages.db rw, + owner @{REPO_DIR}/debian/db/references.db rw, + owner @{REPO_DIR}/debian/db/release.caches.db rw, + owner @{REPO_DIR}/debian/db/contents.cache.db rw, + owner @{REPO_DIR}/debian/db/checksums.db rw, + + owner @{REPO_DIR}/debian/dists/*/*/binary-*/Packages{,.gz} w, + owner @{REPO_DIR}/debian/dists/*/*/binary-*/Packages{,.gz}.new rw, + owner @{REPO_DIR}/debian/dists/*/*/source/Sources{,.gz} w, + owner @{REPO_DIR}/debian/dists/*/*/source/Sources{,.gz}.new rw, + owner @{REPO_DIR}/debian/dists/*/{In,}Release{,.new} rw, + owner @{REPO_DIR}/debian/dists/*/Release.gpg{,.new} rw, + + owner @{REPO_DIR}/debian/**/ w, + owner @{REPO_DIR}/debian/pool/*/*/*/*.tar.* rw, + owner @{REPO_DIR}/debian/pool/*/*/*/*.dsc rw, + owner @{REPO_DIR}/debian/pool/*/*/*/*.deb rw, + owner @{REPO_DIR}/debian/pool/*/*/*/*.git rw, + + # Dirs containing .deb files + owner @{REPO_DIR}/*.deb r, + + # For package building + owner @{BUILD_DIR}/pbuilder/result/*.{dsc,changes} r, + owner @{BUILD_DIR}/pbuilder/result/*.deb r, + owner @{BUILD_DIR}/pbuilder/result/*.tar.* r, + + profile gpg { + #include + + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgsm mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + } + + #include if exists +} diff --git a/apparmor.d/resize2fs b/apparmor.d/resize2fs new file mode 100644 index 00000000..e2714f96 --- /dev/null +++ b/apparmor.d/resize2fs @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/resize2fs +profile resize2fs @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + #include if exists +} diff --git a/apparmor.d/rfkill b/apparmor.d/rfkill new file mode 100644 index 00000000..144371f4 --- /dev/null +++ b/apparmor.d/rfkill @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/rfkill +profile rfkill @{exec_path} { + #include + + @{exec_path} mr, + + /dev/rfkill rw, + + @{sys}/devices/pci[0-9]*/**/rfkill[0-9]/{name,type} r, + @{sys}/devices/platform/**/rfkill/rfkill[0-9]/{name,type} r, + + #include if exists +} diff --git a/apparmor.d/rpi-imager b/apparmor.d/rpi-imager new file mode 100644 index 00000000..944ad368 --- /dev/null +++ b/apparmor.d/rpi-imager @@ -0,0 +1,103 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/rpi-imager +profile rpi-imager @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #capability sys_admin, + deny capability sys_nice, + + @{exec_path} mr, + + /usr/bin/lsblk rCx -> lsblk, + + # When rpi-imager is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Rpi-imager works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + owner "@{HOME}/.config/Raspberry Pi/" rw, + owner "@{HOME}/.config/Raspberry Pi/Imager.conf" rw, + owner "@{HOME}/.config/Raspberry Pi/Imager.conf.lock" rwk, + + owner "@{HOME}/.cache/Raspberry Pi/" rw, + owner "@{HOME}/.cache/Raspberry Pi/**" rwl -> "@{HOME}/.cache/Raspberry Pi/**", + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/qtshadercache/ rw, + owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{HOME}/.config/QtProject.conf r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /etc/X11/cursors/*.theme r, + + /dev/disk/by-label/ r, + + + profile lsblk { + #include + #include + #include + + /usr/bin/lsblk mr, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mountinfo r, + + # file_inherit + /dev/dri/card[0-9]* rw, + + } + + #include if exists +} diff --git a/apparmor.d/rredtool b/apparmor.d/rredtool new file mode 100644 index 00000000..c8842289 --- /dev/null +++ b/apparmor.d/rredtool @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/rredtool +profile rredtool @{exec_path} flags=(complain) { + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/rsyslogd b/apparmor.d/rsyslogd new file mode 100644 index 00000000..83985d9d --- /dev/null +++ b/apparmor.d/rsyslogd @@ -0,0 +1,59 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Debugging the syslogger can be difficult if it can't write to the file +# that the kernel is logging denials to. In these cases, you can do the +# following: +# watch -n 1 'dmesg | tail -5' + +@{exec_path} = /{usr/,}sbin/rsyslogd +profile rsyslogd @{exec_path} { + #include + #include + + capability syslog, + + # for remote logs + capability net_admin, + + # Needed? + deny capability sys_nice, + + # for creating new log files and changing their owner/group + capability chown, + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/rsyslog/*.so mr, + + # rsyslog configuration + /etc/rsyslog.conf r, + /etc/rsyslog.d/{,**} r, + /var/spool/rsyslog/ r, + /var/spool/rsyslog/** rw, + + owner /{,var/}run/rsyslogd.pid{,.tmp} rwk, + owner /{,var/}run/systemd/journal/syslog w, + + # log files and devices + /var/log/** rw, + @{PROC}/kmsg r, + + # a cert for gtls module + /etc/CA/*.crt r, + /etc/CA/*.key r, + + #include if exists +} diff --git a/apparmor.d/rtkit-daemon b/apparmor.d/rtkit-daemon new file mode 100644 index 00000000..02fb286d --- /dev/null +++ b/apparmor.d/rtkit-daemon @@ -0,0 +1,44 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + + +@{exec_path} = /usr/libexec/rtkit-daemon +profile rtkit-daemon @{exec_path} { + #include + #include + + # To raise process nice and set scheduling policies (real-time) and priorities + capability sys_nice, + + # To chroot /proc/ + capability sys_chroot, + + # To run daemon as rtkit:rtkit + capability setgid, + capability setuid, + + # The two are visible in systemd service, but it doesn't seem they're needed + #capability dac_read_search, + #capability sys_ptrace, + + @{exec_path} mr, + + # When applying policies to processes + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/limits r, + + #include if exists +} diff --git a/apparmor.d/rtkitctl b/apparmor.d/rtkitctl new file mode 100644 index 00000000..ed3bcc14 --- /dev/null +++ b/apparmor.d/rtkitctl @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/rtkitctl +profile rtkitctl @{exec_path} { + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/run-parts b/apparmor.d/run-parts new file mode 100644 index 00000000..7af7e71f --- /dev/null +++ b/apparmor.d/run-parts @@ -0,0 +1,115 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/run-parts +profile run-parts @{exec_path} { + #include + #include + + @{exec_path} mr, + + # This is for motd PAM module (see: /etc/pam.d/login) when "noupdate" isn't specified + /etc/update-motd.d/ r, + /etc/update-motd.d/[0-9]*-[a-z]* rCx -> motd, + + # The "/etc/kernel/" dirs are for the pre/post scripts of the linux-{header,image} packages + /etc/kernel/header_postinst.d/ r, + /etc/kernel/header_postinst.d/dkms rCx -> kernel-pre-post, + + /etc/kernel/postinst.d/ r, + /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel-pre-post, + /etc/kernel/postinst.d/dkms rCx -> kernel-pre-post, + /etc/kernel/postinst.d/initramfs-tools rCx -> kernel-pre-post, + /etc/kernel/postinst.d/zz-update-grub rCx -> kernel-pre-post, + + /etc/kernel/postrm.d/ r, + /etc/kernel/postrm.d/initramfs-tools rCx -> kernel-pre-post, + /etc/kernel/postrm.d/zz-update-grub rCx -> kernel-pre-post, + + /etc/kernel/preinst.d/ r, + /etc/kernel/preinst.d/intel-microcode rCx -> kernel-pre-post, + + /etc/kernel/prerm.d/ r, + /etc/kernel/prerm.d/dkms rCx -> kernel-pre-post, + + owner /tmp/#[0-9]*[0-9] rw, + + + profile motd { + #include + + /etc/update-motd.d/[0-9]*-[a-z]* r, + + /{usr/,}bin/dash r, + /{usr/,}bin/uname rix, + /{usr/,}bin/cat rix, + + } + + profile kernel-pre-post { + #include + #include + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + /{usr/,}bin/bash r, + /{usr/,}bin/dash r, + + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/which rix, + + /{usr/,}bin/kmod rix, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /{usr/,}sbin/dkms rPx, + /{usr/,}sbin/update-initramfs rPx, + /{usr/,}lib/dkms/dkms_autoinstaller rPx, + + /{usr/,}bin/apt-config rPx, + + # (#FIXME#) + /{usr/,}sbin/update-grub rPUx, + /{usr/,}bin/systemd-detect-virt rPUx, + + / r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + + # For kmod + @{PROC}/cmdline r, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + /{usr/,}lib/modules/*/updates/ w, + /{usr/,}lib/modules/*/updates/dkms/ w, + + @{PROC}/devices r, + + } + + #include if exists +} diff --git a/apparmor.d/runuser b/apparmor.d/runuser new file mode 100644 index 00000000..247d5931 --- /dev/null +++ b/apparmor.d/runuser @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/runuser +profile runuser @{exec_path} { + #include + #include + #include + #include + #include + + # To remove the following errors: + # runuser: cannot set user id: Operation not permitted + capability setuid, + + # To remove the following errrors: + # runuser: cannot set groups: Operation not permitted + capability setgid, + + # To write records to the kernel auditing log. + capability audit_write, + + # Needed? (#FIXME#) + capability sys_resource, + + @{exec_path} mr, + + # Shells to use + /{usr/,}bin/{,b,d,rb}ash rpux, + /{usr/,}bin/{c,k,tc,z}sh rpux, + + owner @{PROC}/@{pid}/loginuid r, + @{PROC}/1/limits r, + + /etc/security/limits.d/ r, + + /etc/default/runuser r, + + #include if exists +} diff --git a/apparmor.d/sbin.klogd b/apparmor.d/sbin.klogd new file mode 100644 index 00000000..8f4b22d3 --- /dev/null +++ b/apparmor.d/sbin.klogd @@ -0,0 +1,35 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +profile klogd /{usr/,}{bin,sbin}/klogd flags=(complain) { + #include + + capability sys_admin, # for backward compatibility with kernel <= 2.6.37 + capability syslog, + + network inet stream, + + /boot/System.map* r, + @{PROC}/kmsg r, + @{PROC}/kallsyms r, + /dev/tty rw, + + /{usr/,}{bin,sbin}/klogd rmix, + /var/log/boot.msg rwl, + /{,var/}run/klogd.pid krwl, + /{,var/}run/klogd/klogd.pid krwl, + /{,var/}run/klogd/kmsg r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/sbin.syslog-ng b/apparmor.d/sbin.syslog-ng new file mode 100644 index 00000000..b03af238 --- /dev/null +++ b/apparmor.d/sbin.syslog-ng @@ -0,0 +1,68 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2006-2009 Novell/SUSE +# Copyright (C) 2006 Christian Boltz +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +#define this to be where syslog-ng is chrooted +@{CHROOT_BASE}="" + +profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) { + #include + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability fowner, + capability sys_tty_config, + capability sys_resource, + capability syslog, + + unix (receive) type=dgram, + unix (receive) type=stream, + + /dev/log w, + /dev/syslog w, + /dev/tty10 rw, + /dev/xconsole rw, + /dev/kmsg r, + /etc/machine-id r, + /etc/syslog-ng/* r, + /etc/syslog-ng/conf.d/ r, + /etc/syslog-ng/conf.d/* r, + @{PROC}/kmsg r, + /etc/hosts.deny r, + /etc/hosts.allow r, + /{usr/,}{bin,sbin}/syslog-ng mr, + @{sys}/devices/system/cpu/online r, + /usr/share/syslog-ng/** r, + /var/lib/syslog-ng/syslog-ng-?????.qf rw, + # chrooted applications + @{CHROOT_BASE}/var/lib/*/dev/log w, + @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, + @{CHROOT_BASE}/var/log/** w, + @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw, + @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw, + /{var,var/run,run}/log/journal/ r, + /{var,var/run,run}/log/journal/*/ r, + /{var,var/run,run}/log/journal/*/*.journal r, + /{var/,}run/syslog-ng.ctl a, + /{var/,}run/syslog-ng/additional-log-sockets.conf r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/sbin.syslogd b/apparmor.d/sbin.syslogd new file mode 100644 index 00000000..1b54029d --- /dev/null +++ b/apparmor.d/sbin.syslogd @@ -0,0 +1,43 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +profile syslogd /{usr/,}{bin,sbin}/syslogd flags=(complain) { + #include + #include + #include + + capability sys_tty_config, + capability dac_override, + capability dac_read_search, + capability setuid, + capability setgid, + capability syslog, + + unix (receive) type=dgram, + unix (receive) type=stream, + + /dev/log wl, + /var/lib/*/dev/log wl, + + /dev/tty* w, + /dev/xconsole rw, + /etc/syslog.conf r, + /{usr/,}{bin,sbin}/syslogd rmix, + /var/log/** rw, + /{,var/}run/syslogd.pid krwl, + /{,var/}run/utmp rw, + /var/spool/compaq/nic/messages_fifo rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/scdaemon b/apparmor.d/scdaemon new file mode 100644 index 00000000..3af56021 --- /dev/null +++ b/apparmor.d/scdaemon @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/gnupg/scdaemon +profile scdaemon @{exec_path} { + #include + + @{exec_path} mr, + + owner @{HOME}/.gnupg/scdaemon.conf r, + + owner /{,var/}run/user/[0-9]*/gnupg/S.scdaemon rw, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + /{var/,}run/udev/data/+usb:* r, # + + /dev/bus/usb/ r, + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/class/ r, + @{sys}/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent,bConfigurationValue} r, + + #include if exists +} diff --git a/apparmor.d/scrot b/apparmor.d/scrot new file mode 100644 index 00000000..c7b6acf3 --- /dev/null +++ b/apparmor.d/scrot @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/scrot +profile scrot @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + # "mv" is needed to change the image dir + /{usr/,}bin/dash rix, + /{usr/,}bin/mv rix, + + # The image dir + owner @{HOME}/*.png rw, + + owner @{HOME}/.Xauthority r, + + /dev/shm/#[0-9]*[0-9] rw, + + owner @{HOME}/.icons/default/index.theme r, + /usr/share/icons/*/index.theme r, + /usr/share/icons/*/cursors/* r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/sddm b/apparmor.d/sddm new file mode 100644 index 00000000..a73f87e5 --- /dev/null +++ b/apparmor.d/sddm @@ -0,0 +1,212 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/sddm +profile sddm @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + + # To remove the following errors: + # chown("/tmp/sddm-:0-YPUOCV", 123, 132) = -1 EPERM (Operation not permitted) + capability chown, + + # To remove the following errors: + # sddm-helper[]: pam_keyinit(sddm-greeter:session): Unable to change GID to 132 temporarily + # sddm-helper[]: setgid( 132 ) failed for user: "sddm" + capability setgid, + + # To remove the following errors: + # sddm-helper[]: pam_keyinit(sddm-greeter:session): Unable to change UID to 123 temporarily + # sddm-helper[]: pam_unix(sddm-greeter:session): session opened for user sddm by (uid=0) + capability setuid, + + # To remove the following errors: + # sddm-helper[]: pam_limits(sddm-greeter:session): Could not set limit for 'nofile' to soft=1024, + # hard=1048576: Operation not permitted; uid=0,euid=0 + # sddm-helper[*]: pam_limits(sddm-greeter:session): Could not set limit for 'memlock' to + # soft=1017930240, hard=1017930240: Operation not permitted; uid=0,euid=0 + capability sys_resource, + + # To be able to display messages + # sddm-greeter[98834]: Connected to the daemon. + # sddm[98806]: Message received from greeter: Connect + # ... + # sddm-greeter[98834]: Message received from daemon: Capabilities + # sddm-greeter[98834]: Message received from daemon: HostName + # ... + # sddm[98806]: Message received from greeter: Login + # ... + # sddm-greeter[98834]: Message received from daemon: LoginSucceeded + capability audit_write, + + # To read the /var/lib/sddm/state.conf file + capability dac_read_search, + + # Needed? + #capability sys_tty_config, + deny capability net_admin, + + ptrace (trace) peer=@{profile_name}, + + signal (send) set=(kill, term) peer=xorg, + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/sddm/sddm-helper rix, + /{usr/,}bin/dash mrix, + + /{usr/,}bin/sddm-greeter rPx, + /etc/sddm/Xsession rPx, + /{usr/,}bin/Xorg rPx, + + /{usr/,}bin/xauth rCx -> xauth, + /{usr/,}bin/xsetroot rPx, + /{usr/,}bin/sway rPUx, + + # System keyrings + /{usr/,}bin/gnome-keyring-daemon rPx, + /{usr/,}bin/kwalletd5 rPx, + + # SDDM scripts + # What to do with it? (#FIXME#) + /usr/share/sddm/scripts/Xsetup rPUx, + /usr/share/sddm/scripts/Xstop rPUx, + /usr/share/sddm/scripts/wayland-session rPUx, + /usr/share/sddm/scripts/Xsession rPUx, + #/usr/share/sddm/scripts/Xsetup rCx -> sddm-scripts, + #/usr/share/sddm/scripts/Xstop rCx -> sddm-scripts, + #/usr/share/sddm/scripts/wayland-session rCx -> sddm-scripts, + #/usr/share/sddm/scripts/Xsession rCx -> sddm-scripts, + + # Create kwallet dirs and files + owner @{HOME}/.local/share/kwalletd/ rw, + owner @{HOME}/.local/share/kwalletd/kdewallet.salt rw, + @{HOME}/.local/share/kwalletd/kdewallet.salt r, + owner /{,var/}run/user/[0-9]*/kwallet5.socket rw, + /var/log/btmp wk, + + # Themes + /usr/share/sddm/themes/** r, + /usr/share/plasma/desktoptheme/** r, + /usr/share/desktop-base/softwaves-theme/login/*.svg r, + + # List of graphical sessions + /usr/share/xsessions/{,*.desktop} r, + /usr/share/wayland-sessions/{,*.desktop} r, + + owner /var/lib/sddm/** rw, + owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw, + owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw, + /var/lib/sddm/state.conf rw, + + /etc/sddm.conf.d/{,*} r, + /etc/sddm.conf r, + + # User avatars + /usr/share/sddm/faces/.*.icon r, + /var/lib/AccountsService/icons/*.icon r, + + # QT + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/*.so mr, + /{usr/,}lib/@{multiarch}/qt5/plugins/plasma/dataengine/*.so mr, + /{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/**.qmlc mr, + /{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/Private/*.jsc mr, + + # TMP files + owner /tmp/sddm-auth* rw, + /tmp/sddm-* rw, + owner /tmp/*/{,s} rw, + + owner /{,var/}run/sddm/ rw, + /{,var/}run/sddm/* w, + + # Session error logs + # Creating the dir structure is needed when a new user is logging in for the very first time + # using SDDM. + owner @{HOME}/.local/ w, + owner @{HOME}/.local/share/ w, + owner @{HOME}/.local/share/sddm/ w, + + /{usr/,}lib/@{multiarch}/ld-*.so mr, + + /etc/security/limits.d/ r, + + owner @{HOME}/.Xauthority rw, + + /etc/default/locale r, + /etc/environment r, + + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/1/limits r, + @{PROC}/sys/kernel/core_pattern r, + + / r, + + # Run SDDM on a specific TTY + /dev/tty[0-9]* rw, + + /{,var/}run/systemd/sessions/[0-9]*.ref rw, + + + profile sddm-scripts { + #include + #include + #include + + /usr/share/sddm/scripts/Xsetup r, + /usr/share/sddm/scripts/Xstop r, + /usr/share/sddm/scripts/wayland-session r, + /usr/share/sddm/scripts/Xsession r, + /{usr/,}bin/dash r, + + /{usr/,}bin/bash rix, + /{usr/,}bin/zsh rix, + + /{usr/,}bin/id rix, + /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/sway rPUx, + + /{usr/,}bin/dbus-run-session rix, + /{usr/,}bin/dbus-daemon rPUx, + + } + + profile xauth { + #include + + /{usr/,}bin/xauth mr, + + owner @{HOME}/.Xauthority-c w, + owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c, + owner @{HOME}/.Xauthority-n rw, + owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, + + owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w, + owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c, + owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw, + owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n, + + } + + #include if exists +} diff --git a/apparmor.d/sddm-greeter b/apparmor.d/sddm-greeter new file mode 100644 index 00000000..0278c3c9 --- /dev/null +++ b/apparmor.d/sddm-greeter @@ -0,0 +1,109 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/sddm-greeter +profile sddm-greeter @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + owner /var/lib/sddm/** rw, + owner /var/lib/sddm/#[0-9]*[0-9] mrw, + owner /var/lib/sddm/.cache/** mrwkl -> /var/lib/sddm/.cache/**, + /var/lib/sddm/state.conf r, + + /usr/share/sddm/{,**} r, + + /etc/sddm.conf.d/{,*} r, + /etc/sddm.conf r, + + # QT + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/*.so mr, + /{usr/,}lib/@{multiarch}/qt5/plugins/plasma/dataengine/*.so mr, + /{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/**.qmlc mr, + /{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/Private/*.jsc mr, + /{usr/,}lib/@{multiarch}/qt5/qml/QtGraphicalEffects/private/DropShadowBase.qmlc mr, + + # List of graphical sessions + /usr/share/xsessions/{,*.desktop} r, + /usr/share/wayland-sessions/{,*.desktop} r, + + # Themes + /usr/share/plasma/desktoptheme/** r, + /usr/share/desktop-base/softwaves-theme/login/*.svg r, + + # User avatars + /var/lib/AccountsService/icons/*.icon r, + + # All the following is for the test mode + #------------------------------------------------------------------ + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/sddm-greeter/ rw, + owner @{HOME}/.cache/sddm-greeter/qmlcache/ rw, + owner @{HOME}/.cache/sddm-greeter/qmlcache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/sddm-greeter/qmlcache/[a-f0-9]*.jsc* rwl -> @{HOME}/.cache/sddm-greeter/qmlcache/#[0-9]*[0-9], + owner @{HOME}/.cache/sddm-greeter/qmlcache/[a-f0-9]*.qmlc* rwl -> @{HOME}/.cache/sddm-greeter/qmlcache/#[0-9]*[0-9], + + owner @{HOME}/.cache/qtshadercache/ rw, + owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + # If one is blocked, the others are probed. + deny owner @{HOME}/#[0-9]*[0-9] mrw, + owner @{HOME}/.glvnd* mrw, + # owner /tmp/#[0-9]*[0-9] mrw, + # owner /tmp/.glvnd* mrw, + + owner @{HOME}/.config/kdeglobals r, + owner @{HOME}/.config/plasmarc r, + owner @{HOME}/.cache/icon-cache.kcache rw, + owner @{HOME}/.cache/plasma_theme_*.kcache rw, + owner @{HOME}/.cache/plasma-svgelements-* rw, + + #include + + owner @{PROC}/@{pid}/cmdline r, + #------------------------------------------------------------------ + + /etc/fstab r, + + /usr/share/hwdata/pnp.ids r, + + owner /{,var/}run/sddm/{,*} rw, + + /{usr/,}lib/@{multiarch}/ld-*.so mr, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/core_pattern r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + #/dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/sddm-xsession b/apparmor.d/sddm-xsession new file mode 100644 index 00000000..306aa7d1 --- /dev/null +++ b/apparmor.d/sddm-xsession @@ -0,0 +1,144 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/sddm/Xsession +profile sddm-xsession @{exec_path} { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/rm rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/id rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/mktemp rix, + + /{usr/,}bin/ r, + /{usr/,}bin/bash rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/tcsh rix, + /{usr/,}bin/csh rix, + /{usr/,}bin/fish rix, + + /usr/local/bin/ r, + + /etc/X11/Xsession rPx, + + /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, + + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/udevadm rCx -> udevadm, + + /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/numlockx rPx, + /{usr/,}bin/xhost rPx, + + + # Allowed GUI sessions to start + #/{usr/,}bin/openbox-session rPx, + #/{usr/,}bin/openbox rPx, + /{usr/,}bin/ssh-agent rPx, + + owner /tmp/xsess-env-* rw, + owner /tmp/file* rw, + + /etc/default/{,*} r, + + /etc/X11/{,**} r, + + owner @{PROC}/@{pid}/loginuid r, + + # Xsession logs + owner @{HOME}/.local/share/sddm/xorg-session.log w, + owner @{HOME}/.xsession-errors w, + + /etc/zsh/* r, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/X11/Xsession.d/ r, + /etc/X11/Xresources/ r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + profile dbus { + #include + + /{usr/,}bin/dbus-update-activation-environment mr, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + profile gpg { + #include + + /{usr/,}bin/gpgconf mr, + + /{usr/,}bin/gpg-agent rix, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + @{PROC}/@{pid}/fd/ r, + + } + + profile udevadm { + #include + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*[0-9a-f]* r, + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + /{var/,}run/udev/data/* r, + + } + + #include if exists +} diff --git a/apparmor.d/sensors b/apparmor.d/sensors new file mode 100644 index 00000000..4bf1e69d --- /dev/null +++ b/apparmor.d/sensors @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/sensors +profile sensors @{exec_path} { + #include + #include + + @{exec_path} mr, + + # Sensors config files + /etc/sensors.d/{,*} r, + /etc/sensors3.conf r, + + @{sys}/devices/pci[0-9]*/**/name r, + + @{sys}/class/i2c-adapter/ r, + @{sys}/class/hwmon/ r, + @{sys}/devices/virtual/hwmon/hwmon[0-9]* r, + @{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r, + @{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r, + @{sys}/devices/**/hwmon*/{,**/} r, + @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, + @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, + + # file_inherit + deny @{PROC}/@{pid}/net/dev r, + deny @{PROC}/@{pid}/stat r, + deny @{PROC}/@{pid}/net/tcp{,6} r, + deny @{PROC}/@{pid}/net/if_inet6 r, + deny @{PROC}/@{pid}/cmdline r, + deny @{PROC}/uptime r, + deny @{PROC}/diskstats r, + deny @{PROC}/loadavg r, + deny @{PROC}/@{pid}/io r, + + #include if exists +} diff --git a/apparmor.d/sensors-detect b/apparmor.d/sensors-detect new file mode 100644 index 00000000..678b983b --- /dev/null +++ b/apparmor.d/sensors-detect @@ -0,0 +1,83 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/sensors-detect +profile sensors-detect @{exec_path} { + #include + #include + + capability syslog, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /usr/bin/uname rix, + + /usr/bin/udevadm rCx -> udevadm, + /usr/bin/kmod rCx -> kmod, + + /etc/udev/udev.conf r, + + @{sys}/bus/pci/devices/ r, + @{sys}/class/i2c-adapter/ r, + + @{sys}/devices/pci[0-9]*/**/{class,vendor,device} r, + @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r, + @{sys}/devices/pci[0-9]*/**/modalias r, + @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, + @{sys}/devices/virtual/dmi/id/product_{version,name} r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + /dev/i2c-[0-9]* r, + + owner @{PROC}/@{pid}/mounts r, + /proc/modules r, + + + profile udevadm { + #include + + capability sys_ptrace, + + ptrace (read), + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/sys/kernel/random/boot_id r, + + } + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + @{PROC}/cmdline r, + + /{usr/,}lib/modprobe.d/ r, + /{usr/,}lib/modprobe.d/*.conf r, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + } + + #include if exists +} diff --git a/apparmor.d/setpci b/apparmor.d/setpci new file mode 100644 index 00000000..fb3fbc39 --- /dev/null +++ b/apparmor.d/setpci @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/setpci +profile setpci @{exec_path} flags=(complain) { + #include + + @{exec_path} mr, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/pci[0-9]*/** r, + + #include if exists +} diff --git a/apparmor.d/setpriv b/apparmor.d/setpriv new file mode 100644 index 00000000..7e515485 --- /dev/null +++ b/apparmor.d/setpriv @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/setpriv +profile setpriv @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/[a-z0-9]* rPUx, + /{usr/,}sbin/[a-z0-9]* rPUx, + + #include if exists +} diff --git a/apparmor.d/sfdisk b/apparmor.d/sfdisk new file mode 100644 index 00000000..bbe7f39f --- /dev/null +++ b/apparmor.d/sfdisk @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/sfdisk +profile sfdisk @{exec_path} { + #include + #include + + # Needed to avoid the following error: + # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) + # + # Checking that no-one is using this disk right now ... FAILED + # This disk is currently in use - repartitioning is probably a bad idea. + # Umount all file systems, and swapoff all swap partitions on this disk. + # Use the --no-reread flag to suppress this check. + capability sys_admin, + + @{exec_path} mr, + + # For disk images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + # For backups + owner @{HOME}/**.{bak,back} rwk, + owner /media/*/**.{bak,back} rwk, + + #include if exists +} diff --git a/apparmor.d/sgdisk b/apparmor.d/sgdisk new file mode 100644 index 00000000..12969551 --- /dev/null +++ b/apparmor.d/sgdisk @@ -0,0 +1,43 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/sgdisk +profile sgdisk @{exec_path} { + #include + #include + + # Needed to inform the system of newly created/removed partitions + # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) + # + # Warning: The kernel is still using the old partition table. + # The new table will be used at the next reboot or after you + # run partprobe(8) or kpartx(8) + # The operation has completed successfully. + capability sys_admin, + + @{exec_path} mr, + + # For disk images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + # For backups + owner @{HOME}/**.{bak,back} rwk, + owner /media/*/**.{bak,back} rwk, + + #include if exists +} diff --git a/apparmor.d/signal-desktop b/apparmor.d/signal-desktop new file mode 100644 index 00000000..c796a715 --- /dev/null +++ b/apparmor.d/signal-desktop @@ -0,0 +1,79 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +#abi , + +#include + +@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}" +@{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}" + +@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta} +profile signal-desktop @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Signal installation dir + @{SIGNAL_INSTALLDIR}/ r, + @{SIGNAL_INSTALLDIR}/** r, + @{SIGNAL_INSTALLDIR}/libnode.so mr, + @{SIGNAL_INSTALLDIR}/libffmpeg.so mr, + @{SIGNAL_INSTALLDIR}/chrome-sandbox rPx, + + # Signal home dirs + @{SIGNAL_HOMEDIR}/ rw, + @{SIGNAL_HOMEDIR}/** rwk, + + #owner @{HOME}/.pki/nssdb/pkcs11.txt r, + #owner @{HOME}/.pki/nssdb/cert9.db rwk, + #owner @{HOME}/.pki/nssdb/key4.db rwk, + + # Signal wants the /tmp/ dir to be mounted with the "exec" flag. If this is not acceptable in + # your system, use the TMPDIR variable to set some other tmp dir. + /tmp/ r, + owner /tmp/.org.chromium.Chromium.* mrw, + /var/tmp/ r, + owner @{SIGNAL_HOMEDIR}/tmp/.org.chromium.Chromium.* mrw, + + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/pci[0-9]*/**/{irq,vendor,device} r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, + + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/stat r, + @{PROC}/vmstat r, + + deny /dev/shm/ r, + /dev/shm/.org.chromium.Chromium.* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /{usr/,}bin/xdg-settings rPUx, + + /{usr/,}bin/getconf rix, + + #include if exists +} diff --git a/apparmor.d/signal-desktop-chrome-sandbox b/apparmor.d/signal-desktop-chrome-sandbox new file mode 100644 index 00000000..1379816c --- /dev/null +++ b/apparmor.d/signal-desktop-chrome-sandbox @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}" +@{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}" + +@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta} +profile signal-desktop-chrome-sandbox @{exec_path} { + #include + #include + + @{exec_path} mr, + + @{SIGNAL_INSTALLDIR}/signal-desktop rPx, + + #include if exists +} + diff --git a/apparmor.d/smartctl b/apparmor.d/smartctl new file mode 100644 index 00000000..fef20c00 --- /dev/null +++ b/apparmor.d/smartctl @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/smartctl +profile smartctl @{exec_path} { + #include + #include + + # To remove the following errors: + # Probable ATA device behind a SAT layer + # Try an additional '-d ata' or '-d sat' argument. + capability sys_rawio, + + @{exec_path} mr, + + /var/lib/smartmontools/** r, + + #include if exists +} diff --git a/apparmor.d/smartd b/apparmor.d/smartd new file mode 100644 index 00000000..ca506cf5 --- /dev/null +++ b/apparmor.d/smartd @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/smartd +profile smartd @{exec_path} { + #include + #include + + # To remove the following errors: + # Device: /dev/disk/by-id/ata-*, IE (SMART) not enabled, skip device + # Try 'smartctl -s on /dev/disk/by-id/ata-*' to turn on SMART features + # Unable to register SCSI device /dev/disk/by-id/ata-* at line * of file /etc/smartd.conf + # Device: /dev/disk/by-id/ata-*, not available + capability sys_rawio, + + @{exec_path} mr, + + /etc/smartd.conf r, + + /var/lib/smartmontools/smartd.*.state{,~} rw, + /var/lib/smartmontools/attrlog.*.csv rw, + + # Plugin directory for smartd warning script + /etc/smartmontools/smartd_warning.d/ r, + + # Drive database location + /var/lib/smartmontools/drivedb/drivedb.h r, + /etc/smart_drivedb.h r, + + # Needed when smartd-runner scans for drives + /dev/ r, + @{PROC}/devices r, + + #include if exists +} diff --git a/apparmor.d/smplayer b/apparmor.d/smplayer new file mode 100644 index 00000000..7f579aae --- /dev/null +++ b/apparmor.d/smplayer @@ -0,0 +1,151 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{smplayer_ext} = [aA]{52,[aA][cC],[cC]3} +@{smplayer_ext} += [mM][kK][aA] +@{smplayer_ext} += [fF][lL][aA][cC] +@{smplayer_ext} += [mM][pP][123cC] +@{smplayer_ext} += [oO][gGmM][aA] +@{smplayer_ext} += [wW]{,[aA]}[vV] +@{smplayer_ext} += [wW][mM]{,[aA]} +@{smplayer_ext} += 3[gG]{[2pP],[pP][2pP]} +@{smplayer_ext} += [aA][sS][fF] +@{smplayer_ext} += [aA][vV][iI] +@{smplayer_ext} += [dD][iI][vV][xX] +@{smplayer_ext} += [mM][124][vV] +@{smplayer_ext} += [mM][kKoO][vV] +@{smplayer_ext} += [mM][pP][4aAeEgG] +@{smplayer_ext} += [mM][pP][eE][gG]{,[124]} +@{smplayer_ext} += [oO][gG][gGmMxXvV] +@{smplayer_ext} += [rR][mM]{,[vV][bB]} +@{smplayer_ext} += [wW][eE][bB][mM] +@{smplayer_ext} += [wW][mMtT][vV] +@{smplayer_ext} += [mM][pP]2[tT] + +# Image extensions +# bmp, jpg, jpeg, png, gif +@{smplayer_ext} += [bB][mM][pP] +@{smplayer_ext} += [jJ][pP]{,[eE]}[gG] +@{smplayer_ext} += [pP][nN][gG] +@{smplayer_ext} += [gG][iI][fF] + +# Subtitle extensions: +# srt, txt, sub +@{smplayer_ext} += [sS][rR][tT] +@{smplayer_ext} += [tT][xX][tT] +@{smplayer_ext} += [sS][uU][bB] + +# Playlist extensions: +# m3u, m3u8, pls +@{smplayer_ext} += [mM]3[uU]{,8} +@{smplayer_ext} += [pP][lL][sS] + +# For Qbittorrent !qB extension +@{smplayer_ext} += "!qB" + + +@{exec_path} = /{usr/,}bin/smplayer +profile smplayer @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # Needed for hardware decoding + ##include + + signal (send) set=(term, kill), + signal (receive) set=(term, kill), + + @{exec_path} mrix, + + # Which media files SMPlayer should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + /tmp/ r, + owner /tmp/mozilla_*/ r, + owner /{home,media,tmp/mozilla_*}/**.@{smplayer_ext} rw, + + # SMPlayer config files + owner @{HOME}/.config/smplayer/ rw, + owner @{HOME}/.config/smplayer/* rwkl -> @{HOME}/.config/smplayer/#[0-9]*[0-9], + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{HOME}/.cache/#[0-9]*[0-9] rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + deny owner @{PROC}/@{pid}/stat r, + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + deny /dev/ r, + /dev/shm/#[0-9]*[0-9] rw, + + owner /tmp/qtsingleapp-smplay-* rw, + owner /tmp/qtsingleapp-smplay-*-lockfile rwk, + + /usr/share/hwdata/pnp.ids r, + + # For the builtin thumbnail generator + owner /tmp/smplayer_preview/ rw, + owner /tmp/smplayer_preview/[0-9]*.{jpg,png} rw, + + owner /tmp/smplayer-mpv-* w, + + # External apps + /{usr/,}bin/mpv rPUx, + /{usr/,}bin/smtube rPUx, + /{usr/,}bin/youtube-dl rPUx, + + # PulseAudio (to use "pacmd") + /{usr/,}bin/pacmd rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.anyRemote/anyremote.stdout w, + + #include if exists +} + diff --git a/apparmor.d/smtube b/apparmor.d/smtube new file mode 100644 index 00000000..fca4c406 --- /dev/null +++ b/apparmor.d/smtube @@ -0,0 +1,103 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/smtube +profile smtube @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx, + + # SMTube config files + owner @{HOME}/.config/smtube/ rw, + owner @{HOME}/.config/smtube/* rwkl -> @{HOME}/.config/smtube/#[0-9]*[0-9], + + # Needed for updating YT code + owner @{HOME}/.config/smplayer/yt.js rw, + + owner @{HOME}/.config/smplayer/#[0-9]*[0-9] rw, + owner @{HOME}/.config/smplayer/hdpi.ini rw, + owner @{HOME}/.config/smplayer/hdpi.ini.lock rwk, + owner @{HOME}/.config/smplayer/hdpi.ini.* rwl -> @{HOME}/.config/smplayer/#[0-9]*[0-9], + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + # Cache + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/smtube/ rw, + owner @{HOME}/.cache/smtube/* rwk, + + owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + deny /dev/ r, + /dev/shm/#[0-9]*[0-9] rw, + + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + deny @{PROC}/sys/kernel/random/boot_id r, + + # Players + /{usr/,}bin/mpv rPUx, + /{usr/,}bin/smplayer rPUx, + /{usr/,}bin/vlc rPUx, + /{usr/,}bin/cvlc rPUx, + /{usr/,}bin/youtube-dl rPUx, + + /{usr/,}bin/xdg-open rCx -> open, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/spacefm b/apparmor.d/spacefm new file mode 100644 index 00000000..36f71bdf --- /dev/null +++ b/apparmor.d/spacefm @@ -0,0 +1,101 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/spacefm +profile spacefm @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # This should be tightened when the "profile has merged rule with conflicting x modifiers" error + # will be fixed. (#FIXME#) + #include + #include + + # For root window + deny capability dac_read_search, + deny capability dac_override, + + # Needed? + deny capability sys_nice, + + # SpaceFM needs this for killing/terminating processes it initiates. + signal (send) set=(term, kill), + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/cgroup r, + + @{sys}/bus/ r, + @{sys}/class/ r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + # To read/write files in the system. The read permission is granted for all files, the write + # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in + # the list. + / r, + /boot/ r, + /boot/** r, + owner /boot/** rw, + /etc/ r, + /etc/** r, + owner /etc/** rw, + /home/ r, + /home/** r, + /home/** rw, + /lost+found/ r, + /lost+found/** r, + owner /lost+found/** rw, + /media/ r, + /media/** r, + owner /media/** rw, + /mnt/ r, + /mnt/** r, + owner /mnt/** rw, + /opt/ r, + /opt/** r, + owner /opt/** rw, + /root/ r, + /root/** r, + owner /root/** rw, + /run/ r, + /run/** r, + owner /run/** rw, + /srv/ r, + /srv/** r, + owner /srv/** rw, + /tmp/ r, + /tmp/** r, + owner /tmp/** rw, + /usr/ r, + /usr/** r, + owner /usr/** rw, + /var/ r, + /var/** r, + owner /var/** rw, + + #include if exists +} diff --git a/apparmor.d/spacefm-auth b/apparmor.d/spacefm-auth new file mode 100644 index 00000000..4c00a775 --- /dev/null +++ b/apparmor.d/spacefm-auth @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/spacefm-auth +profile spacefm-auth @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + + #include if exists +} diff --git a/apparmor.d/spectre-meltdown-checker b/apparmor.d/spectre-meltdown-checker new file mode 100644 index 00000000..52818031 --- /dev/null +++ b/apparmor.d/spectre-meltdown-checker @@ -0,0 +1,154 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/spectre-meltdown-checker +profile spectre-meltdown-checker @{exec_path} { + #include + + # Needed to read the /dev/cpu/[0-9]*/msr device + capability sys_rawio, + + # Needed to read system logs + capability syslog, + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/dirname rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/head rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/od rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/id rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/seq rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/base64 rix, + /{usr/,}bin/unzip rix, + /{usr/,}bin/{,@{multiarch}-}readelf rix, + /{usr/,}bin/{,@{multiarch}-}strings rix, + /{usr/,}bin/{,@{multiarch}-}objdump rix, + /{usr/,}sbin/iucode_tool rix, + /{usr/,}bin/dmesg rix, + + /{usr/,}bin/pgrep rCx -> pgrep, + /{usr/,}bin/ccache rCx -> ccache, + /{usr/,}bin/kmod rCx -> kmod, + + # To fetch MCE.db from the MCExtractor project + /{usr/,}bin/wget rCx -> mcedb, + /{usr/,}bin/sqlite3 rCx -> mcedb, + owner /tmp/mcedb-* rw, + owner /tmp/smc-* rw, + owner /tmp/intelfw-*/ rw, + owner /tmp/intelfw-*/fw.zip rw, + owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw, + owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw, + + owner @{HOME}/.mcedb rw, + owner /{usr/,}bin/spectre-meltdown-checker w, + + owner /tmp/{config,kernel}-* rw, + + owner /dev/cpu/[0-9]*/cpuid r, + owner /dev/cpu/[0-9]*/msr rw, + owner /dev/kmsg r, + + /boot/{config,vmlinuz,System.map}-* r, + + @{sys}/devices/system/cpu/vulnerabilities/* r, + + @{PROC}/ r, + @{PROC}/config.gz r, + @{PROC}/cmdline r, + @{PROC}/kallsyms r, + @{PROC}/modules r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + + profile ccache { + #include + + /{usr/,}bin/ccache mr, + + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + + /media/ccache/*/** rw, + + } + + profile pgrep { + #include + + /{usr/,}bin/pgrep mr, + + # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + } + + profile mcedb { + #include + #include + #include + #include + #include + + /{usr/,}bin/wget mr, + /{usr/,}bin/sqlite3 mr, + + /etc/wgetrc r, + owner @{HOME}/.wget-hsts rwk, + + /tmp/ r, + owner /tmp/mcedb-* rwk, + owner /tmp/intelfw-*/fw.zip rw, + + /usr/share/publicsuffix/public_suffix_list.* r, + + } + + profile kmod { + #include + + /{usr/,}bin/kmod mr, + + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + @{PROC}/cmdline r, + + } + + #include if exists +} diff --git a/apparmor.d/speedtest b/apparmor.d/speedtest new file mode 100644 index 00000000..5daeb310 --- /dev/null +++ b/apparmor.d/speedtest @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/speedtest{,-cli} +profile speedtest @{exec_path} { + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/file rix, + /{usr/,}bin/uname rix, + + owner @{PROC}/@{pid}/fd/ r, + + /usr/local/lib/python*/dist-packages/ r, + + /etc/magic r, + + #include if exists +} diff --git a/apparmor.d/spflashtool b/apparmor.d/spflashtool new file mode 100644 index 00000000..d28562a9 --- /dev/null +++ b/apparmor.d/spflashtool @@ -0,0 +1,73 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /opt/SPFlashTool/flash_tool{,.sh} +profile spflashtool @{exec_path} { + #include + #include + #include + #include + + @{exec_path} mrix, + + # SPFlashTool installation files + /opt/SPFlashTool/{,**} r, + /opt/SPFlashTool/lib*.so mr, + /opt/SPFlashTool/lib/lib*.so.[0-9]* mr, + /opt/SPFlashTool/*.ini rk, + + # Session logs + owner /tmp/SP_FT_Logs/ rw, + owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ rw, + owner /tmp/SP_FT_Logs/SP_FT_Dump_*1/QT_FLASH_TOOL.log w, + owner /tmp/SP_FT_Logs/SP_FT_Dump_*/BROM_DLL_V[0-9]*.log w, + owner /tmp/SP_FT_Logs/SP_FT_Dump_*/GLB_[0-9]*-[0-9]*_[0-9]*.log w, + owner /tmp/SP_FT_Logs/SP_FT_Dump_*/QT_FLASH_TOOL.log w, + owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ADPT_[0-9]*-[0-9]*_[0-9]*.log w, + + # For reading the scatter.txt file + / r, + /media/ r, + owner /media/Android/{,**/} r, + owner /media/Android/**scatter.txt r, + + # For backups + owner /media/Android/smartphones_flash_backup/ r, + owner /media/Android/smartphones_flash_backup/** rw, + + owner @{HOME}/.config/Trolltech.conf rwk, + + owner @{HOME}/.config/MTK/ rw, + owner @{HOME}/.config/MTK/Clipper.conf rwk, + + owner @{HOME}/.Xauthority r, + + owner @{HOME}/.icons/default/index.theme r, + /etc/X11/cursors/*.theme r, + /usr/share/icons/*/cursors/default r, + /usr/share/icons/*/index.theme rk, + /usr/share/icons/*/cursors/* r, + + /dev/ r, + # For reading/writing from/to phone flash memory + /dev/ttyACM[0-9]* rw, + + /sys/devices/pci[0-9]*/**/{idVendor,idProduct} r, + + # Silence the noise + /opt/SPFlashTool/** w, + + #include if exists +} diff --git a/apparmor.d/spotify b/apparmor.d/spotify new file mode 100644 index 00000000..ca2338d9 --- /dev/null +++ b/apparmor.d/spotify @@ -0,0 +1,94 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify +profile spotify @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mrix, + + /usr/share/spotify/{,**} r, + /usr/share/spotify/libcef.so mr, + /usr/share/spotify/swiftshader/libGLESv2.so mr, + /usr/share/spotify/swiftshader/libEGL.so mr, + + owner @{HOME}/.config/spotify/ rw, + owner @{HOME}/.config/spotify/** rw, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/spotify/ rw, + owner @{HOME}/.cache/spotify/** rwk, + + owner @{HOME}/.Xauthority r, + + # The /proc/ dir is needed to avoid the following errors: + # [:FATAL:proc_util.cc(36)] : Permission denied (13) + # [:FATAL:sandbox_linux.cc(484)] : Permission denied (13) + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + deny owner @{PROC}/@{pids}/task/ r, + deny owner @{PROC}/@{pids}/task/@{tid}/stat r, + deny owner @{PROC}/@{pids}/task/@{tid}/status r, + deny @{PROC}/@{pids}/stat r, + deny owner @{PROC}/@{pid}/cmdline r, + deny owner @{PROC}/@{pids}/oom_score_adj w, + deny @{PROC}/vmstat r, + @{PROC}sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + owner /dev/shm/.org.chromium.Chromium.* rw, + + deny @{sys}/devices/virtual/tty/tty[0-9]*/active r, + # To remove the following error: + # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied + deny @{sys}/devices/pci[0-9]*/**/irq r, + + deny /var/lib/dbus/machine-id r, + deny /etc/machine-id r, + + /usr/share/X11/XErrorDB r, + + /tmp/ r, + owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # What's this for? + #owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw, + + /var/tmp/ r, + + deny owner @{HOME}/.pki/ rw, + deny owner @{HOME}/.pki/nssdb/ rw, + deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + #include if exists +} diff --git a/apparmor.d/ssh-agent b/apparmor.d/ssh-agent new file mode 100644 index 00000000..76880ae6 --- /dev/null +++ b/apparmor.d/ssh-agent @@ -0,0 +1,45 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ssh-agent +profile ssh-agent @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner /tmp/ssh-*/ rw, + owner /tmp/ssh-*/agent.* rw, + + # When SSH agent is not used with GPG + /{usr/,}bin/openbox-session rPx, + /{usr/,}bin/startkde rPUx, + /{usr/,}bin/sway rPUx, + /{usr/,}bin/enlightenment_start rPUx, + + # When started via systemd + /{var/,}run/user/[0-9]*/openssh_agent rw, + + # askpass apps + #/{usr/,}lib/ssh/x11-ssh-askpass rPUx, + #/{usr/,}bin/ksshaskpass rPUx, + /{usr/,}bin/kwalletaskpass rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/startx b/apparmor.d/startx new file mode 100644 index 00000000..bed435c5 --- /dev/null +++ b/apparmor.d/startx @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/startx +profile startx @{exec_path} { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/hostname rix, + /{usr/,}bin/mcookie rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/tty rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/deallocvt rix, + + /{usr/,}bin/xauth rPx, + /{usr/,}bin/xinit rPx, + + /etc/X11/xinit/xinitrc r, + /etc/X11/xinit/xserverrc r, + + owner @{HOME}/.xinitrc r, + owner @{HOME}/.xserverrc r, + + owner /tmp/serverauth.* rw, + + owner /dev/tty[0-9]* rw, + #include if exists +} diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry new file mode 100644 index 00000000..3c4e5b79 --- /dev/null +++ b/apparmor.d/strawberry @@ -0,0 +1,134 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/strawberry +profile strawberry @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=strawberry-tagreader, + + signal (receive) set=(term, kill) peer=anyremote//*, + + @{exec_path} mr, + + /{usr/,}bin/strawberry-tagreader rPx, + /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx, + + /{usr/,}bin/xdg-open rCx -> open, + + # Media library + / r, + /media/ r, + owner /media/Kabi/ r, + owner /media/Kabi/mp3/ r, + owner /media/Kabi/mp3/** rw, + + owner @{HOME}/ r, + owner @{HOME}/.config/strawberry/ rw, + owner @{HOME}/.config/strawberry/* rwkl -> @{HOME}/.config/strawberry/#[0-9]*[0-9], + + owner @{HOME}/.local/share/strawberry/ rw, + owner @{HOME}/.local/share/strawberry/** rwk, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/strawberry/ rw, + owner @{HOME}/.cache/strawberry/** rwl -> @{HOME}/.cache/strawberry/networkcache/prepared/#[0-9]*[0-9], + + owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + + owner @{HOME}/.cache/xine-lib/ rw, + owner @{HOME}/.cache/xine-lib/plugins.cache{,.new} rw, + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + deny @{PROC}/sys/kernel/random/boot_id r, + + /{var/,}run/mount/utab r, + + /etc/fstab r, + + deny /dev/ r, + /dev/shm/#[0-9]*[0-9] rw, + /dev/sr[0-9]* r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]/meminfo r, + + # The orcexec.* file is JIT compiled code for various GStreamer elements. + # If one is blocked the next is used instead. + owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + #owner @{HOME}/orcexec.* mrw, + #owner /tmp/orcexec.* mrw, + + owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, + owner /tmp/.*/ rw, + owner /tmp/.*/s rw, + owner /tmp/strawberry*[0-9] w, + owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/*= w, + + owner /var/tmp/etilqs_[0-9a-f]* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/hwdata/pnp.ids r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.anyRemote/anyremote.stdout w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/strawberry-tagreader b/apparmor.d/strawberry-tagreader new file mode 100644 index 00000000..0eb6cd19 --- /dev/null +++ b/apparmor.d/strawberry-tagreader @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/strawberry-tagreader +profile strawberry-tagreader @{exec_path} { + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=strawberry, + signal (receive) set=(term, kill) peer=anyremote//*, + + @{exec_path} mr, + + # Media library + owner /media/*/mp3/ r, + owner /media/*/mp3/** rw, + + # file_inherit + owner @{HOME}/.xsession-errors w, + owner @{HOME}/.anyRemote/anyremote.stdout w, + owner @{HOME}/.cache/gstreamer-*/registry.x86_64.bin.tmp* rw, + + #include if exists +} diff --git a/apparmor.d/su b/apparmor.d/su new file mode 100644 index 00000000..479ab961 --- /dev/null +++ b/apparmor.d/su @@ -0,0 +1,68 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/su +profile su @{exec_path} { + #include + #include + #include + #include + #include +# #include + + # To remove the following errors: + # su: cannot set groups: Operation not permitted + capability setgid, + + # To remove the following errors: + # su: cannot set user id: Operation not permitted + capability setuid, + + # To write records to the kernel auditing log. + capability audit_write, + + # Needed? + audit deny capability net_bind_service, + + signal (send) set=(term,kill), + signal (receive) set=(int,quit,term), + + @{exec_path} mr, + + # Shells to use + /{usr/,}bin/{,b,d,rb}ash rpux, + /{usr/,}bin/{c,k,tc,z}sh rpux, + + # Fake shells to politely refuse a login + #/{usr/,}sbin/nologin rpux, + + /etc/environment r, + + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid r, + + /etc/default/locale r, + /etc/security/limits.d/ r, + + /etc/shells r, + + owner /var/log/btmp wk, + + # For pam_securetty + @{PROC}/cmdline r, + @{sys}/devices/virtual/tty/console/active r, + + #include if exists +} diff --git a/apparmor.d/sudo b/apparmor.d/sudo new file mode 100644 index 00000000..aed01a45 --- /dev/null +++ b/apparmor.d/sudo @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/sudo +profile sudo @{exec_path} { + #include + #include + #include + #include + #include +# #include + + # To remove the following errors: + # sudo: unable to change to root gid: Operation not permitted + capability setgid, + + # To remove the following errors: + # sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted + # sudo: no valid sudoers sources found, quitting + # sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted + capability setuid, + + # To write records to the kernel auditing log. + capability audit_write, + + # Needed? (#FIXME#) + capability sys_resource, + + signal, + + @{exec_path} mr, + + # Shells to use + /{usr/,}bin/{,b,d,rb}ash rpux, + /{usr/,}bin/{c,k,tc,z}sh rpux, + + /{usr/,}bin/[a-z0-9]* rPUx, + /{usr/,}sbin/[a-z0-9]* rPUx, + + /dev/ r, + + # For timestampdir + owner /{var/,}run/sudo/ rw, + owner /{var/,}run/sudo/ts/ rw, + owner /{var/,}run/sudo/ts/* rwk, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/stat r, + + /etc/sudo.conf r, + + /etc/sudoers r, + /etc/sudoers.d/{,*} r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/swaplabel b/apparmor.d/swaplabel new file mode 100644 index 00000000..e3daf144 --- /dev/null +++ b/apparmor.d/swaplabel @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/swaplabel +profile swaplabel @{exec_path} { + #include + #include + + @{exec_path} mr, + + # SWAP file common locations + owner /swapfile rw, + + #include if exists +} diff --git a/apparmor.d/swapoff b/apparmor.d/swapoff new file mode 100644 index 00000000..b68632db --- /dev/null +++ b/apparmor.d/swapoff @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/swapoff +profile swapoff @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + /etc/fstab r, + + @{PROC}/swaps r, + + # SWAP file common locations + owner /swapfile rw, + + #include if exists +} + diff --git a/apparmor.d/swapon b/apparmor.d/swapon new file mode 100644 index 00000000..ebbbb911 --- /dev/null +++ b/apparmor.d/swapon @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/swapon +profile swapon @{exec_path} { + #include + #include + + capability sys_admin, + + @{exec_path} mr, + + /etc/fstab r, + + @{PROC}/swaps r, + + # SWAP file common locations + owner /swapfile rw, + + #include if exists +} diff --git a/apparmor.d/synaptic b/apparmor.d/synaptic new file mode 100644 index 00000000..3d2935d6 --- /dev/null +++ b/apparmor.d/synaptic @@ -0,0 +1,182 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +@{BUILD_DIR} = /media/debuilder/ + +#include + +@{exec_path} = /{usr/,}sbin/synaptic /{usr/,}bin/synaptic-pkexec +profile synaptic @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # To remove the following errors: + # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed - + # Item::QueueURI (1: Operation not permitted) + capability fowner, + + # To remove the following errors: + # W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + capability chown, + + # To remove the following errors: + # E: setgroups 65534 failed - setgroups (1: Operation not permitted) + # E: setegid 65534 failed - setegid (1: Operation not permitted) + # E: seteuid 100 failed - seteuid (1: Operation not permitted) + # E: setgroups 0 failed - setgroups (1: Operation not permitted) + capability setuid, + capability setgid, + + # To remove the following errors: + # W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease - + # PrepareFiles (13: Permission denied) + # E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied) + capability dac_read_search, + + # To remove the following errors: + # E: Failed to fetch https://**.deb rename failed, Permission denied + # (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb). + # E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? + capability dac_override, + + # Needed? (##FIXME##) + capability kill, + capability fsetid, + deny capability sys_nice, + + signal (send) peer=apt-methods-*, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, + + # For update-apt-xapian-index + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, + + # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Synaptic works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + /{usr/,}bin/ps rPx, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/apt-listbugs rPx, + /{usr/,}bin/apt-listchanges rPx, + /{usr/,}bin/apt-show-versions rPx, + /{usr/,}sbin/dpkg-preconfigure rPx, + /{usr/,}bin/debtags rPx, + /{usr/,}sbin/localepurge rPx, + /{usr/,}bin/appstreamcli rPx, + /{usr/,}bin/adequate rPx, + /{usr/,}sbin/update-command-not-found rPx, + /usr/share/command-not-found/cnf-update-db rPx, + /{usr/,}sbin/update-apt-xapian-index rPx, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/deborphan rPx, + /{usr/,}bin/tasksel rPx, + /{usr/,}bin/pkexec rPx, + + # Methods to use to download packages from the net + /{usr/,}lib/apt/methods/* rPx, + + /var/lib/apt/lists/** rw, + /var/lib/apt/lists/lock rwk, + /var/lib/apt/extended_states{,.*} rw, + + /etc/apt/apt.conf.d/99synaptic rw, + + /var/log/apt/eipp.log.xz w, + /var/log/apt/{term,history}.log w, + + # For editing the sources.list file + /etc/apt/sources.list.d/ r, + /etc/apt/sources.list.d/*.list rw, + /etc/apt/sources.list rwk, + + /var/lib/apt-xapian-index/index r, + /var/cache/apt-xapian-index/index.[0-9]/*.glass r, + /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + + /var/lib/dpkg/** r, + /var/lib/dpkg/lock{,-frontend} rwk, + + owner /tmp/apt-dpkg-install-*/ rw, + owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + /usr/share/synaptic/{,**} r, + owner @{HOME}/.synaptic/ rw, + owner @{HOME}/.synaptic/** rwk, + /{var/,}run/synaptic.socket w, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Synaptic is a GUI app started by root, so without "owner" + @{HOME}/.Xauthority r, + + # For package building + @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + /{usr/,}bin/dbus-send mr, + /{usr/,}bin/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + + @{HOME}/.Xauthority r, + } + + #include if exists +} diff --git a/apparmor.d/syncthing b/apparmor.d/syncthing new file mode 100644 index 00000000..0c44da15 --- /dev/null +++ b/apparmor.d/syncthing @@ -0,0 +1,61 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/syncthing +profile syncthing @{exec_path} { + #include + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/ip rix, + + owner @{HOME}/ r, + owner @{HOME}/.config/syncthing/ rw, + owner @{HOME}/.config/syncthing/** rwk, + + # The sync folders + #owner @{HOME}/Sync/{,**} rw, + owner /media/*/syncthing/{,**} rw, + + /etc/mime.types r, + + @{PROC}/sys/net/core/somaxconn r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Silecne the noise + deny /etc/ssl/certs/java/ r, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/system-config-printer b/apparmor.d/system-config-printer new file mode 100644 index 00000000..60774c06 --- /dev/null +++ b/apparmor.d/system-config-printer @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/system-config-printer /usr/share/system-config-printer/system-config-printer.py +profile system-config-printer @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/dash r, + /{usr/,}bin/python3.[0-9]* r, + + /usr/share/system-config-printer/{,**} r, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + /etc/fstab r, + + /etc/cups/cupsd.conf r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner /tmp/* rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/system-config-printer-applet b/apparmor.d/system-config-printer-applet new file mode 100644 index 00000000..eab7e8d7 --- /dev/null +++ b/apparmor.d/system-config-printer-applet @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/system-config-printer-applet /usr/share/system-config-printer/applet.py +profile system-config-printer-applet @{exec_path} { + #include + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/dash r, + /{usr/,}bin/python3.[0-9]* r, + + /usr/share/system-config-printer/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/system_tor b/apparmor.d/system_tor new file mode 100644 index 00000000..dfaa967c --- /dev/null +++ b/apparmor.d/system_tor @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +#include + +profile system_tor flags=(attach_disconnected) { + #include + #include + + owner /var/lib/tor/** rwk, + owner /var/lib/tor/ r, + owner /var/log/tor/* w, + + # During startup, tor (as root) tries to open various things such as + # directories via check_private_dir(). Let it. + /var/lib/tor/** r, + + /{,var/}run/tor/ r, + /{,var/}run/tor/control w, + /{,var/}run/tor/socks w, + /{,var/}run/tor/tor.pid w, + /{,var/}run/tor/control.authcookie w, + /{,var/}run/tor/control.authcookie.tmp rw, + /{,var/}run/systemd/notify w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/systemd-analyze b/apparmor.d/systemd-analyze new file mode 100644 index 00000000..31ceaf46 --- /dev/null +++ b/apparmor.d/systemd-analyze @@ -0,0 +1,62 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/systemd-analyze +profile systemd-analyze @{exec_path} { + #include + #include + + # Needed for the prctl's PR_SET_MM option: + # prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted) + capability sys_resource, + + signal (send) peer=child-pager, + + @{exec_path} mr, + + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/man rPx, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/comm r, + @{PROC}/swaps r, + + # For systemd-analyze cat-config + /etc/systemd/** r, + /{usr/,}lib/systemd/** r, + + @{sys}/fs/cgroup/{systemd,unified}/** r, + @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, + @{sys}/firmware/acpi/tables/FPDT r, + + @{sys}/module/**/uevent r, + @{sys}/devices/**/uevent r, + /{var/,}run/udev/data/* r, + + /{var/,}run/udev/tags/systemd/ r, + /{var/,}run/systemd/system/ r, + /{var/,}run/systemd/userdb/io.systemd.DynamicUser w, + + owner /tmp/systemd-temporary-*/ rw, + + /usr/ r, + + /etc/default/locale r, + + #include if exists +} diff --git a/apparmor.d/systemd-fsck b/apparmor.d/systemd-fsck new file mode 100644 index 00000000..a95f88f0 --- /dev/null +++ b/apparmor.d/systemd-fsck @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-fsck +profile systemd-fsck @{exec_path} flags=(complain) { + #include + #include + #include + #include + + capability net_admin, + capability sys_resource, + + @{exec_path} mr, + + /{usr/,}sbin/fsck rPx, + /{usr/,}sbin/e2fsck rPx, + + owner /{var/,}run/systemd/quotacheck w, + + #include if exists +} diff --git a/apparmor.d/systemd-fsckd b/apparmor.d/systemd-fsckd new file mode 100644 index 00000000..7fd5c097 --- /dev/null +++ b/apparmor.d/systemd-fsckd @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-fsckd +profile systemd-fsckd @{exec_path} flags=(complain) { + #include + #include + #include + + capability net_admin, + capability sys_tty_config, + + @{exec_path} mr, + + owner /{var/,}run/systemd/fsck.progress w, + + #include if exists +} diff --git a/apparmor.d/systemd-journalctl b/apparmor.d/systemd-journalctl new file mode 100644 index 00000000..06995c9a --- /dev/null +++ b/apparmor.d/systemd-journalctl @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/journalctl +profile systemd-journalctl @{exec_path} { + #include + #include + #include + + capability sys_resource, + + signal (send) peer=child-pager, + + @{exec_path} mr, + + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/[0-9a-f]*/ r, + /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, + /{run,var}/log/journal/[0-9a-f]*/system.journal* r, + /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, + + # For --setup-keys and --verify + owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw, + owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*, + owner /var/tmp/#[0-9]* rw, + + /var/lib/systemd/catalog/database rw, + /var/lib/systemd/catalog/.#database* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + #include if exists +} diff --git a/apparmor.d/systemd-journald b/apparmor.d/systemd-journald new file mode 100644 index 00000000..b72a9a54 --- /dev/null +++ b/apparmor.d/systemd-journald @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-journald +profile systemd-journald @{exec_path} { + #include + #include + #include + + capability syslog, + capability sys_ptrace, + capability dac_read_search, + + @{exec_path} mr, + + /etc/systemd/journald.conf r, + + /{var/,}run/log/ rw, + /{run,var}/log/journal/ rw, + /{run,var}/log/journal/[0-9a-f]*/ rw, + /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, + /{run,var}/log/journal/[0-9a-f]*/system.journal* rw, + /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, + /{run,var}/log/journal/[0-9a-f]*/fss rw, + + owner /{var/,}run/systemd/journal/{,**} rw, + owner /{var/,}run/systemd/notify rw, + + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + /{var/,}run/udev/data/c10:224 r, # for /dev/tpm0 + /{var/,}run/udev/data/+usb:* r, + /{var/,}run/udev/data/+pci:* r, + /{var/,}run/udev/data/+hid:* r, + /{var/,}run/udev/data/+acpi:* r, + /{var/,}run/udev/data/+scsi:* r, + /{var/,}run/udev/data/+bluetooth:* r, + /{var/,}run/udev/data/+usb-serial:* r, + /{var/,}run/udev/data/+platform:regulatory.[0-9]* r, + /{var/,}run/udev/data/+platform:simple-framebuffer.[0-9]* r, + + @{sys}/devices/**/uevent r, + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/hostname r, + + /dev/kmsg rw, + + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + #include if exists +} diff --git a/apparmor.d/systemd-modules-load b/apparmor.d/systemd-modules-load new file mode 100644 index 00000000..a5b0e7e3 --- /dev/null +++ b/apparmor.d/systemd-modules-load @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-modules-load +profile systemd-modules-load @{exec_path} { + #include + #include + + # To load kernel modules + capability sys_module, + + @{exec_path} mr, + + @{sys}/module/*/initstate r, + + /etc/modules r, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + /etc/modules-load.d/ r, + /etc/modules-load.d/*.conf r, + + #include if exists +} diff --git a/apparmor.d/systemd-networkd b/apparmor.d/systemd-networkd new file mode 100644 index 00000000..77397578 --- /dev/null +++ b/apparmor.d/systemd-networkd @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-networkd +profile systemd-networkd @{exec_path} flags=(complain) { + #include + #include + + capability net_admin, + capability net_raw, + capability net_bind_service, + + @{exec_path} mr, + + /etc/systemd/networkd.conf r, + /etc/systemd/network/ r, + /etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r, + + owner /{var/,}run/systemd/netif/links/.#* rw, + owner /{var/,}run/systemd/netif/links/[0-9]* rw, + owner /{var/,}run/systemd/netif/leases/[0-9]* rw, + owner /{var/,}run/systemd/netif/leases/.#* rw, + owner /{var/,}run/systemd/netif/.#state* rw, + owner /{var/,}run/systemd/netif/.#state rw, + owner /{var/,}run/systemd/netif/state rw, + + # To be able to configure network interfaces + @{PROC}/sys/net/ipv{4,6}/** rw, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + + @{sys}/devices/**/net/** r, + + /{var/,}run/udev/data/n[0-9]* r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + #include if exists +} diff --git a/apparmor.d/systemd-networkd-wait-online b/apparmor.d/systemd-networkd-wait-online new file mode 100644 index 00000000..6dd167f8 --- /dev/null +++ b/apparmor.d/systemd-networkd-wait-online @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-networkd-wait-online +profile systemd-networkd-wait-online @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} mr, + + /{var/,}run/systemd/netif/links/[0-9]* r, + + #include if exists +} diff --git a/apparmor.d/systemd-rfkill b/apparmor.d/systemd-rfkill new file mode 100644 index 00000000..d68a6385 --- /dev/null +++ b/apparmor.d/systemd-rfkill @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-rfkill +profile systemd-rfkill @{exec_path} { + #include + #include + + @{exec_path} mr, + + /dev/rfkill rw, + + @{sys}/devices/**/rfkill[0-9]*/{uevent,name} r, + + /var/lib/systemd/rfkill/* rw, + + /{var/,}run/systemd/notify rw, + + /{var/,}run/udev/data/+rfkill:* r, + + #include if exists +} diff --git a/apparmor.d/systemd-shutdown b/apparmor.d/systemd-shutdown new file mode 100644 index 00000000..98e5c014 --- /dev/null +++ b/apparmor.d/systemd-shutdown @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-shutdown +profile systemd-shutdown @{exec_path} flags=(complain) { + #include + #include + + capability sys_resource, + capability sys_boot, + capability kill, + + signal (send) set=(stop, cont, term, kill), + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/sys/kernel/core_pattern w, + owner @{PROC}/sys/kernel/printk rw, + + #include if exists +} diff --git a/apparmor.d/systemd-sysctl b/apparmor.d/systemd-sysctl new file mode 100644 index 00000000..c634f401 --- /dev/null +++ b/apparmor.d/systemd-sysctl @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-sysctl +profile systemd-sysctl @{exec_path} { + #include + #include + + # Are these needed? + deny capability sys_ptrace, + deny capability sys_admin, + deny capability net_admin, + deny capability sys_resource, + + @{exec_path} mr, + + @{PROC}/sys/** rw, + + /etc/sysctl.d/ r, + /etc/sysctl.d/*.conf r, + + /etc/sysctl.conf r, + + #include if exists +} diff --git a/apparmor.d/systemd-timedated b/apparmor.d/systemd-timedated new file mode 100644 index 00000000..6363e5ce --- /dev/null +++ b/apparmor.d/systemd-timedated @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-timedated +profile systemd-timedated @{exec_path} { + #include + #include + + capability sys_time, + + @{exec_path} mr, + + /dev/rtc[0-9] r, + + /etc/.#adjtime* rw, + /etc/adjtime rw, + + /etc/.#localtime* rw, + /etc/localtime rw, + + /etc/.#timezone* rw, + /etc/timezone rw, + + #include if exists +} diff --git a/apparmor.d/systemd-timesyncd b/apparmor.d/systemd-timesyncd new file mode 100644 index 00000000..e6e8bc2e --- /dev/null +++ b/apparmor.d/systemd-timesyncd @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd +profile systemd-timesyncd @{exec_path} { + #include + #include + #include + + capability sys_time, + + @{exec_path} mr, + + /etc/systemd/timesyncd.conf r, + + owner /var/lib/systemd/timesync/clock rw, + + owner /{var/,}run/systemd/timesync/synchronized rw, + /{var/,}run/systemd/netif/state r, + + #include if exists +} diff --git a/apparmor.d/tasksel b/apparmor.d/tasksel new file mode 100644 index 00000000..0748ba28 --- /dev/null +++ b/apparmor.d/tasksel @@ -0,0 +1,84 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/tasksel +profile tasksel @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/tempfile rix, + /{usr/,}lib/tasksel/tasksel-debconf rix, + + /{usr/,}lib/tasksel/tests/* rCx -> tasksel-tests, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/apt-cache rPx, + + /{usr/,}bin/debconf-apt-progress rPx, + + /usr/share/tasksel/** r, + + /usr/share/debconf/confmodule r, + + owner /tmp/file* w, + + + profile tasksel-tests flags=(complain) { + #include + + /{usr/,}lib/tasksel/tests/* r, + /{usr/,}bin/dash r, + + } + + profile frontend flags=(complain) { + #include + #include + #include + #include + + /usr/share/debconf/frontend r, + /{usr/,}bin/perl r, + + /{usr/,}bin/tasksel rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + /{usr/,}bin/whiptail rPx, + owner /tmp/file* w, + + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + /etc/shadow r, + + } + + #include if exists +} diff --git a/apparmor.d/telegram-desktop b/apparmor.d/telegram-desktop new file mode 100644 index 00000000..da228e37 --- /dev/null +++ b/apparmor.d/telegram-desktop @@ -0,0 +1,107 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{TELEGRAM_WORK_DIR} = /media/Kabi/telegram + +@{exec_path} = /{usr/,}bin/telegram-desktop +profile telegram-desktop @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Launch external apps + /{usr/,}bin/xdg-open rCx -> open, + + # What's this for? + deny /{usr/,}bin/fc-list rx, + + # Telegram files + /usr/share/TelegramDesktop/{,**} r, + + # Download dir + owner @{TELEGRAM_WORK_DIR}/ rw, + owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#[0-9]*[0-9], + + # Telegram's profile (via telegram -many -workdir ~/some/dir/) + #owner @{TELEGRAM_WORK_DIR}/{,**} rw, + + # Autostart + owner @{HOME}/.config/autostart/telegramdesktop.desktop rw, + + /dev/shm/#[0-9]*[0-9] rw, + + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Needed when saving files as, or otherwise the app crashes + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /usr/share/hwdata/pnp.ids r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/geany rPx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/dash rix, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/geany rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/tftp b/apparmor.d/tftp new file mode 100644 index 00000000..dc137b27 --- /dev/null +++ b/apparmor.d/tftp @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/tftp +profile tftp @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/thinkfan b/apparmor.d/thinkfan new file mode 100644 index 00000000..4c094ec6 --- /dev/null +++ b/apparmor.d/thinkfan @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/thinkfan +profile thinkfan @{exec_path} { + #include + + @{exec_path} mr, + + /etc/thinkfan.conf r, + + @{sys}/devices/platform/**/hwmon/**/pwm[0-9]* rw, + @{sys}/devices/platform/**/hwmon/**/pwm[0-9]*_enable rw, + @{sys}/devices/platform/**/hwmon/**/temp[0-9]*_input r, + + @{PROC}/acpi/ibm/thermal r, + @{PROC}/acpi/ibm/fan rw, + + owner /{var/,}run/thinkfan.pid rw, + + #include if exists +} + diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird new file mode 100644 index 00000000..a45aaff2 --- /dev/null +++ b/apparmor.d/thunderbird @@ -0,0 +1,258 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# Useful info: +# http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird +# + +#abi , + +#include + +@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird +@{MOZ_HOMEDIR} = @{HOME}/.thunderbird +@{MOZ_CACHEDIR} = @{HOME}/.cache/thunderbird + +@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin} /{usr/,}bin/thunderbird +profile thunderbird @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + ptrace peer=@{profile_name}, + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + @{exec_path} mrix, + @{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/date rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/which rix, + + /{usr/,}bin/ps rPx, + /{usr/,}bin/dig rix, + + # Thunderbird files + /usr/share/thunderbird/{,**} r, + /etc/thunderbird/{,**} r, + + # Extensions + @{MOZ_LIBDIR}/extensions/{,**} r, + /usr/share/mozilla/extensions/{,**} r, + /usr/share/lightning/{,**} r, + + # Thunderbird home files + owner @{MOZ_HOMEDIR}/ rw, + owner "@{MOZ_HOMEDIR}/{Crash Reports,Pending Pings}/" rw, + owner "@{MOZ_HOMEDIR}/Crash Reports/**" rw, + owner @{MOZ_HOMEDIR}/*.*/ rw, + owner @{MOZ_HOMEDIR}/*.*/** rwk, + deny @{MOZ_HOMEDIR}/*.*/pepmda/ rw, + deny @{MOZ_HOMEDIR}/*.*/pepmda/** rwklmx, + owner @{MOZ_HOMEDIR}/profiles.ini rw, + owner @{MOZ_HOMEDIR}/installs.ini rw, + deny @{HOME}/.mozilla/** mrwkl, + + # Cache + owner @{HOME}/.cache/ rw, + owner @{MOZ_CACHEDIR}/{,**} rw, + + # Needed for system mails + owner /var/mail/* rwk, + + owner @{HOME}/ r, + owner @{HOME}/Mail/ rw, + owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, + + # Fix error in libglib while saving files as + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Spellcheck + /{usr/,}bin/locale rix, + + # System integration + /etc/mime.types r, + owner @{HOME}/.config/mimeapps.list.* rw, + + # KDE system keyring + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + /usr/share/xul-ext/kwallet5/* r, + /etc/xul-ext/kwallet5.js r, + owner @{HOME}/.config/kwalletrc r, + + # QT5 + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + deny @{sys}/devices/system/cpu/present r, + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/cgroup r, + deny owner @{PROC}/@{pid}/stat r, + deny owner @{PROC}/@{pids}/cmdline r, + deny owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pid}/task/ r, + deny owner @{PROC}/@{pid}/task/@{tid}/stat r, + # To remove the following error: + # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied + # (g-file-error-quark, 2) + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/@{pid}/net/arp r, + deny @{PROC}/@{pid}/net/route r, + # for dig + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # TMP files + /var/tmp/ r, + /tmp/ r, + owner /tmp/* rw, + owner /tmp/thunderbird{,_*}/ rw, + owner /tmp/thunderbird{,_*}/* rwk, + owner /tmp/mozilla_*/ rw, + owner /tmp/mozilla_*/* rw, + owner /tmp/MozillaMailnews/ rw, + owner /tmp/MozillaMailnews/*.msf rw, + owner /tmp/Temp-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/ rw, + + deny /dev/ r, + /dev/urandom w, + /dev/shm/ r, + owner /dev/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw, + + /etc/fstab r, + + /etc/mailcap r, + + /usr/share/sounds/freedesktop/stereo/*.oga r, + + # Silencer + deny /{usr/,}lib/thunderbird/** w, + + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/exo-open rCx -> open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + # Needed for enigmail + /usr/share/xul-ext/enigmail/{,**} r, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg-connect-agent rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}bin/qpdfview rPUx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/engrampa rPUx, + /{usr/,}bin/geany rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile gpg { + #include + #include + + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpg-connect-agent mr, + /{usr/,}bin/gpgsm mr, + /{usr/,}bin/gpg-agent rix, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + owner /tmp/nscopy.tmp w, + + # For encryption + signature + owner /tmp/gpgOutput.* rw, + + # for inline pgp + owner /tmp/encfile rw, + owner /tmp/encfile-[0-9]* rw, + + # for signature generation + owner /tmp/nsemail.eml w, + owner /tmp/nsemail-[0-9]*.eml w, + + # for signature verifications + owner /tmp/data.sig r, + owner /tmp/data-[0-9]*.sig r, + + @{PROC}/@{pid}/fd/ r, + + # file_inherit + owner /dev/tty[0-9]* rw, + deny owner @{MOZ_HOMEDIR}/*.*/** rw, + deny owner @{MOZ_CACHEDIR}/** rw, + deny /usr/share/thunderbird/** r, + deny /usr/share/sounds/freedesktop/stereo/*.oga r, + deny owner /tmp/thunderbird{,_*}/* rwk, + deny /dev/shm/org.chromium.* r, + deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, + owner /tmp/ns* rw, + + } + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + /{usr/,}bin/exo-open mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}bin/qpdfview rPUx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/engrampa rPUx, + /{usr/,}bin/geany rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/tint2 b/apparmor.d/tint2 new file mode 100644 index 00000000..d374565c --- /dev/null +++ b/apparmor.d/tint2 @@ -0,0 +1,69 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/tint2 +profile tint2 @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Tint2 files + /usr/share/tint2/{,**} r, + + # Tint2 config files + /etc/xdg/tint2/tint2rc r, + owner @{HOME}/.config/tint2/{,*} rw, + + # Tint2 cache files + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/tint2/ rw, + owner @{HOME}/.cache/tint2/[0-9a-f]*.png w, + owner @{HOME}/.cache/tint2/icon.cache rwk, + + # Launcher config files + owner @{HOME}/.config/launchers/{,*.desktop} r, + owner @{HOME}/.config/launchers/icons/{,*.png} r, + + /{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr, + + # Some missing icons + /usr/share/**.png r, + + owner @{HOME}/.Xauthority r, + + owner /tmp/tint2-@{pid}-[0-9]*.png rw, + + # Battery applet + @{sys}/class/power_supply/ r, + @{sys}/devices/**/power_supply/**/* r, + + @{sys}/fs/cgroup/** r, + + /dev/shm/#[0-9]*[0-9] rw, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/tint2conf b/apparmor.d/tint2conf new file mode 100644 index 00000000..b788fecc --- /dev/null +++ b/apparmor.d/tint2conf @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/tint2conf +profile tint2conf @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/tint2 rPx, + + /{usr/,}bin/dash rix, + + /usr/share/tint2/{,*} r, + + /etc/xdg/tint2/ r, + /etc/xdg/tint2/tint2rc r, + + owner @{HOME}/.config/tint2/ r, + owner @{HOME}/.config/tint2/* rw, + + owner @{HOME}/.cache/tint2/[0-9a-f]*.png r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/top b/apparmor.d/top new file mode 100644 index 00000000..e73d2f79 --- /dev/null +++ b/apparmor.d/top @@ -0,0 +1,80 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# When any of the "ns*" fields is displayed, the following error will be printed: +# "Failed name lookup - disconnected path" error=-13 profile="top" name="". +@{exec_path} = /{usr/,}bin/top +profile top @{exec_path} flags=(attach_disconnected) { + #include + #include + #include + + # To be able to read the /proc/ files of all processes in the system. + capability dac_read_search, + + # To manage priorities. + capability sys_nice, + + # To terminate other users' processes when top is started as root. + capability kill, + + capability sys_ptrace, + + signal (send), + ptrace (read), + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/loadavg r, + @{PROC}/uptime r, + @{PROC}/tty/drivers r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/wchan r, + + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{PROC}/@{pids}/task/@{tid}/status r, + + /etc/topdefaultrc r, + /etc/toprc r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{sys}/devices/system/node/node[0-9]*/cpumap r, + + owner @{HOME}/.config/procps/ rw, + owner @{HOME}/.config/procps/toprc rw, + + #include if exists +} diff --git a/apparmor.d/torbrowser.Browser.firefox b/apparmor.d/torbrowser.Browser.firefox new file mode 100644 index 00000000..4363cdfa --- /dev/null +++ b/apparmor.d/torbrowser.Browser.firefox @@ -0,0 +1,150 @@ +#include +#include + +@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real + +profile torbrowser_firefox @{torbrowser_firefox_executable} { + #include + #include + + # Uncomment the following lines if you want to give the Tor Browser read-write + # access to most of your personal files. + # #include + # @{HOME}/ r, + + # Audio support + /{,usr/}bin/pulseaudio Pixr, + + #dbus, + network netlink raw, + network tcp, + + ptrace (trace) peer=@{profile_name}, + signal (receive, send) set=("term") peer=@{profile_name}, + + deny /etc/host.conf r, + deny /etc/hosts r, + deny /etc/nsswitch.conf r, + deny /etc/resolv.conf r, + deny /etc/passwd r, + deny /etc/group r, + deny /etc/mailcap r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /dev/ r, + /dev/shm/ r, + + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/task/*/stat r, + @{PROC}/sys/kernel/random/uuid r, + + owner @{torbrowser_installation_dir}/ r, + owner @{torbrowser_installation_dir}/* r, + owner @{torbrowser_installation_dir}/.** rwk, + owner @{torbrowser_installation_dir}/update.test/ rwk, + owner @{torbrowser_home_dir}/.** rwk, + owner @{torbrowser_home_dir}/ rw, + owner @{torbrowser_home_dir}/** rwk, + owner @{torbrowser_home_dir}.bak/ rwk, + owner @{torbrowser_home_dir}.bak/** rwk, + owner @{torbrowser_home_dir}/*.so mr, + owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk, + owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl, + owner @{torbrowser_home_dir}/browser/** r, + owner @{torbrowser_home_dir}/{,browser/}components/*.so mr, + owner @{torbrowser_home_dir}/Downloads/ rwk, + owner @{torbrowser_home_dir}/Downloads/** rwk, + owner @{torbrowser_home_dir}/firefox rix, + owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw, + owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix, + owner @{torbrowser_home_dir}/updater ix, + owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/.parentwritetest rw, + owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r, + owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk, + owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r, + owner @{torbrowser_home_dir}/fonts/* l, + owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px, + owner @{torbrowser_home_dir}/TorBrowser/Tor/ r, + owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr, + owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr, + + # parent Firefox process when restarting after upgrade, Web Content processes + owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox, + + /etc/mailcap r, + /etc/mime.types r, + + /usr/share/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/mime/ r, + /usr/share/themes/ r, + /usr/share/applications/** rk, + /usr/share/gnome/applications/ r, + /usr/share/gnome/applications/kde4/ r, + /usr/share/poppler/cMap/ r, + + # Distribution homepage + /usr/share/homepage/ r, + /usr/share/homepage/** r, + + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/present r, + /sys/devices/system/node/ r, + /sys/devices/system/node/node[0-9]*/meminfo r, + deny /sys/devices/virtual/block/*/uevent r, + + # Should use abstractions/gstreamer instead once merged upstream + /etc/udev/udev.conf r, + /run/udev/data/+pci:* r, + /sys/devices/pci[0-9]*/**/uevent r, + owner /{dev,run}/shm/shmfd-* rw, + + # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s) + owner /{dev,run}/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC + + # Deny access to DRM nodes, that's granted by the X abstraction, which is + # sourced by the gnome abstraction, that we include. + deny /dev/dri/** rwklx, + + # Silence denial logs about permissions we don't need + deny /dev/dri/ rwklx, + deny @{HOME}/.cache/fontconfig/ rw, + deny @{HOME}/.cache/fontconfig/** rw, + deny @{HOME}/.config/gtk-2.0/ rw, + deny @{HOME}/.config/gtk-2.0/** rw, + deny @{PROC}/@{pid}/net/route r, + deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, + deny /run/user/[0-9]*/dconf/user rw, + deny /usr/bin/lsb_release x, + deny capability sys_admin, + + # Silence denial logs about PulseAudio + deny /etc/pulse/client.conf r, + deny /usr/bin/pulseaudio x, + + # KDE 4 + owner @{HOME}/.kde/share/config/* r, + + # Xfce4 + /etc/xfce4/defaults.list r, + /usr/share/xfce4/applications/ r, + + # u2f (tested with Yubikey 4) + /sys/class/ r, + /sys/bus/ r, + /sys/class/hidraw/ r, + /run/udev/data/c24{7,9}:* r, + /dev/hidraw* rw, + # Yubikey NEO also needs this: + /sys/devices/**/hidraw/hidraw*/uevent r, + + #include +} diff --git a/apparmor.d/torbrowser.Browser.plugin-container b/apparmor.d/torbrowser.Browser.plugin-container new file mode 100644 index 00000000..fdf5fda1 --- /dev/null +++ b/apparmor.d/torbrowser.Browser.plugin-container @@ -0,0 +1,104 @@ +#include +#include + +@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real + +profile torbrowser_plugin_container { + #include + + # Uncomment the following lines if you want Tor Browser + # to have direct access to your sound hardware. You will also + # need to remove, further bellow: + # - the "deny" word in the machine-id lines + # - the rules that deny reading /etc/pulse/client.conf + # and executing /usr/bin/pulseaudio + # #include + # /etc/asound.conf r, + # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw, + + signal (receive) set=("term") peer=torbrowser_firefox, + + deny /etc/host.conf r, + deny /etc/hosts r, + deny /etc/nsswitch.conf r, + deny /etc/resolv.conf r, + deny /etc/passwd r, + deny /etc/group r, + deny /etc/mailcap r, + + deny /etc/machine-id r, + deny /var/lib/dbus/machine-id r, + + /etc/mime.types r, + /usr/share/applications/gnome-mimeapps.list r, + + /dev/shm/ r, + + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/task/*/stat r, + @{PROC}/sys/kernel/random/uuid r, + + owner @{torbrowser_home_dir}/*.dat r, + owner @{torbrowser_home_dir}/*.manifest r, + owner @{torbrowser_home_dir}/*.so mr, + owner @{torbrowser_home_dir}/.cache/fontconfig/ rw, + owner @{torbrowser_home_dir}/.cache/fontconfig/** rw, + owner @{torbrowser_home_dir}/browser/** r, + owner @{torbrowser_home_dir}/components/*.so mr, + owner @{torbrowser_home_dir}/browser/components/*.so mr, + owner @{torbrowser_home_dir}/defaults/pref/ r, + owner @{torbrowser_home_dir}/defaults/pref/*.js r, + owner @{torbrowser_home_dir}/dependentlibs.list r, + owner @{torbrowser_home_dir}/fonts/ r, + owner @{torbrowser_home_dir}/fonts/** r, + owner @{torbrowser_home_dir}/omni.ja r, + owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r, + owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r, + owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/update.{status,version} r, + owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]/updater rw, + owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r, + owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw, + owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r, + owner @{torbrowser_home_dir}/TorBrowser/Tor/ r, + owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr, + owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr, + owner @{torbrowser_home_dir}/Downloads/ rwk, + owner @{torbrowser_home_dir}/Downloads/** rwk, + + owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container, + + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/present r, + /sys/devices/system/node/ r, + /sys/devices/system/node/node[0-9]*/meminfo r, + deny /sys/devices/virtual/block/*/uevent r, + + # Should use abstractions/gstreamer instead once merged upstream + /etc/udev/udev.conf r, + /run/udev/data/+pci:* r, + /sys/devices/pci[0-9]*/**/uevent r, + owner /{dev,run}/shm/shmfd-* rw, + + # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s) + owner /{dev,run}/shm/org.chromium.* rw, + + # Deny access to DRM nodes, that's granted by the X abstraction, which is + # sourced by the gnome abstraction, that we include. + deny /dev/dri/** rwklx, + + # Silence denial logs about permissions we don't need + deny /dev/dri/ rwklx, + deny @{PROC}/@{pid}/net/route r, + deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, + + # Silence denial logs about PulseAudio + deny /etc/pulse/client.conf r, + deny /usr/bin/pulseaudio x, + + #include +} diff --git a/apparmor.d/torbrowser.Tor.tor b/apparmor.d/torbrowser.Tor.tor new file mode 100644 index 00000000..f5b81779 --- /dev/null +++ b/apparmor.d/torbrowser.Tor.tor @@ -0,0 +1,46 @@ +#include +#include + +@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor + +profile torbrowser_tor @{torbrowser_tor_executable} { + #include + + network netlink raw, + network tcp, + network udp, + + /etc/host.conf r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/resolv.conf r, + owner @{torbrowser_home_dir}/TorBrowser/Tor/tor mr, + owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/ rw, + owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/** rw, + owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/lock rwk, + owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr, + owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr, + + # Support some of the included pluggable transports + owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix, + @{PROC}/sys/net/core/somaxconn r, + #include + + # Silence file_inherit logs + deny @{torbrowser_home_dir}/{browser/,}omni.ja r, + deny @{torbrowser_home_dir}/{browser/,}features/*.xpi r, + deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw, + deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r, + deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r, + # Silence logs from included pluggable transports + deny /etc/hosts r, + deny /etc/services r, + + @{PROC}/sys/kernel/random/uuid r, + /sys/devices/system/cpu/ r, + + # OnionShare compatibility + /tmp/onionshare/** rw, + + #include +} diff --git a/apparmor.d/torify b/apparmor.d/torify new file mode 100644 index 00000000..a296fa98 --- /dev/null +++ b/apparmor.d/torify @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/torify +profile torify @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + #include if exists +} diff --git a/apparmor.d/torsocks b/apparmor.d/torsocks new file mode 100644 index 00000000..709bcb5d --- /dev/null +++ b/apparmor.d/torsocks @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/torsocks +profile torsocks @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + #include if exists +} diff --git a/apparmor.d/tpacpi-bat b/apparmor.d/tpacpi-bat new file mode 100644 index 00000000..63f15223 --- /dev/null +++ b/apparmor.d/tpacpi-bat @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/tpacpi-bat +profile tpacpi-bat @{exec_path} { + #include + #include + + @{exec_path} mr, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/cat rix, + + # To load the acpi_call module + /{usr/,}bin/kmod rPx, + + @{PROC}/acpi/call rw, + + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/**/path r, + + #include if exists +} diff --git a/apparmor.d/tunables/alias b/apparmor.d/tunables/alias new file mode 100644 index 00000000..a0c55c4f --- /dev/null +++ b/apparmor.d/tunables/alias @@ -0,0 +1,16 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Alias rules can be used to rewrite paths and are done after variable +# resolution. For example, if '/usr' is on removable media: +# alias /usr/ -> /mnt/usr/, +# +# Or if mysql databases are stored in /home: +# alias /var/lib/mysql/ -> /home/mysql/, diff --git a/apparmor.d/tunables/apparmorfs b/apparmor.d/tunables/apparmorfs new file mode 100644 index 00000000..8df86759 --- /dev/null +++ b/apparmor.d/tunables/apparmorfs @@ -0,0 +1,11 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +@{apparmorfs}=@{securityfs}/apparmor/ diff --git a/apparmor.d/tunables/dovecot b/apparmor.d/tunables/dovecot new file mode 100644 index 00000000..702da58e --- /dev/null +++ b/apparmor.d/tunables/dovecot @@ -0,0 +1,20 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:ft=apparmor + +# @{DOVECOT_MAILSTORE} is a space-separated list of all directories +# where dovecot is allowed to store and read mails +# +# The default value is quite broad to avoid breaking existing setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory +# you use, and remove everything else. + +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/ + diff --git a/apparmor.d/tunables/global b/apparmor.d/tunables/global new file mode 100644 index 00000000..28d6fc6d --- /dev/null +++ b/apparmor.d/tunables/global @@ -0,0 +1,21 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2006-2009 Novell/SUSE +# Copyright (C) 2010-2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# All the tunables definitions that should be available to every profile +# should be included here + +#include +#include +#include +#include +#include +#include +#include diff --git a/apparmor.d/tunables/home b/apparmor.d/tunables/home new file mode 100644 index 00000000..550ccd5d --- /dev/null +++ b/apparmor.d/tunables/home @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2006-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# @{HOME} is a space-separated list of all user home directories. While +# it doesn't refer to a specific home directory (AppArmor doesn't +# enforce discretionary access controls) it can be used as if it did +# refer to a specific home directory +@{HOME}=@{HOMEDIRS}/*/ /root/ + +# @{HOMEDIRS} is a space-separated list of where user home directories +# are stored, for programs that must enumerate all home directories on a +# system. +@{HOMEDIRS}=/home/ + +# Also, include files in tunables/home.d for site-specific adjustments to +# @{HOMEDIRS}. +#include diff --git a/apparmor.d/tunables/home.d/site.local b/apparmor.d/tunables/home.d/site.local new file mode 100644 index 00000000..e6796a0c --- /dev/null +++ b/apparmor.d/tunables/home.d/site.local @@ -0,0 +1,13 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2010 Canonical Ltd. +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# The following is a space-separated list of where additional user home +# directories are stored, each must have a trailing '/'. Directories added +# here are appended to @{HOMEDIRS}. See tunables/home for details. Eg: +#@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/ diff --git a/apparmor.d/tunables/home.d/ubuntu b/apparmor.d/tunables/home.d/ubuntu new file mode 100644 index 00000000..32db0928 --- /dev/null +++ b/apparmor.d/tunables/home.d/ubuntu @@ -0,0 +1,7 @@ +# This file is auto-generated. It is recommended you update it using: +# $ sudo dpkg-reconfigure apparmor +# +# The following is a space-separated list of where additional user home +# directories are stored, each must have a trailing '/'. Directories added +# here are appended to @{HOMEDIRS}. See tunables/home for details. +#@{HOMEDIRS}+= diff --git a/apparmor.d/tunables/kernelvars b/apparmor.d/tunables/kernelvars new file mode 100644 index 00000000..65ee2667 --- /dev/null +++ b/apparmor.d/tunables/kernelvars @@ -0,0 +1,33 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# This file should contain declarations to kernel vars or variables +# that will become kernel vars at some point + +# until kernel vars are implemented +# and until the parser supports nested groupings like +# @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},} +# use +@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} + +#same pattern as @{pid} for now +@{tid}=@{pid} + +#A pattern for pids that can appear +@{pids}=@{pid} + +# Placeholder for user id until kernel var is implemented to match +# current user of the confined application. +# Values are 0...4,294,967,295 (32-bit unsigned, 10 digits). +@{uid}={[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]} + +#same pattern as @{uid} for now +@{uids}=@{uid} + +# until kernel var is implemented +@{sys}=/sys/ diff --git a/apparmor.d/tunables/multiarch b/apparmor.d/tunables/multiarch new file mode 100644 index 00000000..c54082e0 --- /dev/null +++ b/apparmor.d/tunables/multiarch @@ -0,0 +1,17 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# @{multiarch} is the set of patterns matching multi-arch library +# install prefixes. +@{multiarch}=*-linux-gnu* + +# Also, include files in tunables/multiarch.d for site and packaging +# specific adjustments to @{multiarch}. +#include diff --git a/apparmor.d/tunables/multiarch.d/site.local b/apparmor.d/tunables/multiarch.d/site.local new file mode 100644 index 00000000..91877e2a --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/site.local @@ -0,0 +1,14 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# The following is a space-separated list of where additional multipath +# prefixes are stored, each should not have a trailing '/'. Directories +# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg: +#@{multiarch}+=*-freebsd* s390-hurd-zomg diff --git a/apparmor.d/tunables/proc b/apparmor.d/tunables/proc new file mode 100644 index 00000000..25a1964d --- /dev/null +++ b/apparmor.d/tunables/proc @@ -0,0 +1,12 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# @{PROC} is the location where procfs is mounted. +@{PROC}=/proc/ diff --git a/apparmor.d/tunables/securityfs b/apparmor.d/tunables/securityfs new file mode 100644 index 00000000..c572139f --- /dev/null +++ b/apparmor.d/tunables/securityfs @@ -0,0 +1,10 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# @{securityfs} is the location where securityfs is mounted. +@{securityfs}=@{sys}/kernel/security/ diff --git a/apparmor.d/tunables/share b/apparmor.d/tunables/share new file mode 100644 index 00000000..f41121c8 --- /dev/null +++ b/apparmor.d/tunables/share @@ -0,0 +1,15 @@ +@{flatpak_exports_root} = {flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export} + +# System-wide directories with behaviour analogous to /usr/share +# in patterns like the freedesktop.org basedir spec. These are +# owned by root or a system user, appear in XDG_DATA_DIRS, and +# are the parent directory for `applications`, `themes`, +# `dbus-1/services`, etc. +@{system_share_dirs} = /{usr,usr/local,var/lib/@{flatpak_exports_root}}/share + +# Per-user/personal directories with behaviour analogous to +# ~/.local/share in patterns like the freedesktop.org basedir spec. +# These are owned by the user running an application, appear in +# XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory +# for the same subdirectories as @{system_share_dirs} +@{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share diff --git a/apparmor.d/tunables/sys b/apparmor.d/tunables/sys new file mode 100644 index 00000000..c5257e30 --- /dev/null +++ b/apparmor.d/tunables/sys @@ -0,0 +1,9 @@ +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#This file is DEPRECATED! @{sys} is defined in tunables/kernelvars now. diff --git a/apparmor.d/tunables/torbrowser b/apparmor.d/tunables/torbrowser new file mode 100644 index 00000000..9b311390 --- /dev/null +++ b/apparmor.d/tunables/torbrowser @@ -0,0 +1,2 @@ +@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_* +@{torbrowser_home_dir}=@{torbrowser_installation_dir}/Browser diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs new file mode 100644 index 00000000..fcaf8d40 --- /dev/null +++ b/apparmor.d/tunables/xdg-user-dirs @@ -0,0 +1,24 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Define the common set of XDG user directories (usually defined in +# /etc/xdg/user-dirs.defaults) +@{XDG_DESKTOP_DIR}="Desktop" +@{XDG_DOWNLOAD_DIR}="Downloads" +@{XDG_TEMPLATES_DIR}="Templates" +@{XDG_PUBLICSHARE_DIR}="Public" +@{XDG_DOCUMENTS_DIR}="Documents" +@{XDG_MUSIC_DIR}="Music" +@{XDG_PICTURES_DIR}="Pictures" +@{XDG_VIDEOS_DIR}="Videos" + +# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments +# to the various XDG directories +#include diff --git a/apparmor.d/tunables/xdg-user-dirs.d/site.local b/apparmor.d/tunables/xdg-user-dirs.d/site.local new file mode 100644 index 00000000..8fcabfa0 --- /dev/null +++ b/apparmor.d/tunables/xdg-user-dirs.d/site.local @@ -0,0 +1,21 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2014 Canonical Ltd. +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# The following may be used to add additional entries such as for +# translations. See tunables/xdg-user-dirs for details. Eg: +#@{XDG_MUSIC_DIR}+="Musique" + +#@{XDG_DESKTOP_DIR}+="" +#@{XDG_DOWNLOAD_DIR}+="" +#@{XDG_TEMPLATES_DIR}+="" +#@{XDG_PUBLICSHARE_DIR}+="" +#@{XDG_DOCUMENTS_DIR}+="" +#@{XDG_MUSIC_DIR}+="" +#@{XDG_PICTURES_DIR}+="" +#@{XDG_VIDEOS_DIR}+="" diff --git a/apparmor.d/tune2fs b/apparmor.d/tune2fs new file mode 100644 index 00000000..e69817d6 --- /dev/null +++ b/apparmor.d/tune2fs @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/{tune2fs,e2label} +profile tune2fs @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/swaps r, + + /.ismount-test-file rw, + + owner /{,var/}run/blkid/blkid.tab{,-*} rw, + owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + + # Image files + @{HOME}/** rw, + /media/*/** rw, + + #include if exists +} diff --git a/apparmor.d/ucf b/apparmor.d/ucf new file mode 100644 index 00000000..8649dff2 --- /dev/null +++ b/apparmor.d/ucf @@ -0,0 +1,111 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/ucf +profile ucf @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + /{usr/,}bin/dash r, + + /{usr/,}bin/basename rix, + /{usr/,}bin/seq rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/which rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/id rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/stat rix, + + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/dpkg-divert rPx, + + /{usr/,}bin/sensible-pager rCx -> pager, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + /etc/ucf.conf r, + /var/lib/ucf/** rw, + + owner /tmp/* rw, + /etc/default/* rw, + + # For md5sum + /etc/** r, + /usr/share/*/conffiles/* r, + /{var/,}run/* r, + + # For writing new config files + /etc/** rw, + + /usr/share/debconf/confmodule r, + + + profile pager flags=(complain) { + #include + #include + + /{usr/,}bin/sensible-pager mr, + + } + + profile frontend flags=(complain) { + #include + #include + #include + #include + + /usr/share/debconf/frontend r, + /{usr/,}bin/perl r, + + /{usr/,}bin/ucf rPx, + + /{usr/,}bin/dash rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + # The following is needed when debconf uses GUI frontends. + #include + #include + #include + #include + capability dac_read_search, + /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/hostname rPx, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + } + + #include if exists +} diff --git a/apparmor.d/udevadm b/apparmor.d/udevadm new file mode 100644 index 00000000..3ac87a3e --- /dev/null +++ b/apparmor.d/udevadm @@ -0,0 +1,87 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/udevadm +@{exec_path} += /{usr/,}lib/systemd/systemd-udevd +profile udevadm @{exec_path} flags=(complain,attach_disconnected) { + #include + #include + #include + #include + + # (##FIXME##) + capability sys_admin, + capability net_admin, + capability dac_read_search, + capability dac_override, + capability sys_ptrace, + capability sys_resource, + capability chown, + capability fsetid, + capability sys_module, + + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/chgrp rix, + /{usr/,}bin/chmod rix, + + /{usr/,}sbin/* rPUx, + + /{usr/,}lib/udev/* rPUx, + /{usr/,}lib/systemd/systemd-* rPUx, + /{usr/,}lib/crda/* rPUx, + + /etc/console-setup/*.sh rPUx, + + /etc/default/* r, + + /etc/udev/ r, + /etc/udev/udev.conf r, + /etc/udev/rules.d/ r, + /etc/udev/rules.d/[0-9][0-9]-*.rules r, + + /etc/udev/hwdb.d/ r, + /etc/udev/hwdb.d/[0-9][0-9]-*.hwdb r, + /etc/udev/hwdb.bin rw, + /etc/udev/.#hwdb.bin* rw, + + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + /etc/systemd/network/ r, + /etc/systemd/network/[0-9][0-9]-*.link r, + + /{var/,}run/udev/ rw, + /{var/,}run/udev/** rw, + + /{var/,}run/systemd/seats/seat[0-9]* r, + + @{sys}/** rw, + + /dev/ rw, + /dev/** rwk, + + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/sys/kernel/random/boot_id r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/udiskie b/apparmor.d/udiskie new file mode 100644 index 00000000..90dc9113 --- /dev/null +++ b/apparmor.d/udiskie @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/udiskie +profile udiskie @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9] r, + + /{usr/,}bin/ r, + /{usr/,}bin/xdg-open rCx -> open, + + owner @{HOME}/.config/udiskie/ r, + owner @{HOME}/.config/udiskie/config.yml r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Allowed apps to open + /{usr/,}bin/spacefm rPx, + + # Silencer + deny /{usr/,}lib/** w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}bin/spacefm rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/udiskie-info b/apparmor.d/udiskie-info new file mode 100644 index 00000000..7bdfaa1c --- /dev/null +++ b/apparmor.d/udiskie-info @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/udiskie-info +profile udiskie-info @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9] r, + + /usr/bin/ r, + + owner @{HOME}/.config/udiskie/ r, + owner @{HOME}/.config/udiskie/config.yml r, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/udiskie-mount b/apparmor.d/udiskie-mount new file mode 100644 index 00000000..7bdf8770 --- /dev/null +++ b/apparmor.d/udiskie-mount @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/udiskie-mount +profile udiskie-mount @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9] r, + + /usr/bin/ r, + + owner @{HOME}/.config/udiskie/ r, + owner @{HOME}/.config/udiskie/config.yml r, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/udiskie-umount b/apparmor.d/udiskie-umount new file mode 100644 index 00000000..8e21a083 --- /dev/null +++ b/apparmor.d/udiskie-umount @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/udiskie-umount +profile udiskie-umount @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9] r, + + /usr/bin/ r, + + owner @{HOME}/.config/udiskie/ r, + owner @{HOME}/.config/udiskie/config.yml r, + + owner @{PROC}/@{pid}/mounts r, + + #include if exists +} diff --git a/apparmor.d/udisksctl b/apparmor.d/udisksctl new file mode 100644 index 00000000..8d2d62ab --- /dev/null +++ b/apparmor.d/udisksctl @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/udisksctl +profile udisksctl @{exec_path} { + #include + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/udisksd b/apparmor.d/udisksd new file mode 100644 index 00000000..7f26f510 --- /dev/null +++ b/apparmor.d/udisksd @@ -0,0 +1,152 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/udisks2/udisksd /usr/libexec/udisks2/udisksd +profile udisksd @{exec_path} { + #include + #include + #include + + # To remove the following errors: + # udisksd[]: Error probing device: Error sending ATA command IDENTIFY DEVICE to '/dev/sda': + # SGIO v3 ioctl failed (v4 not supported): Operation not permitted (g-io-error-quark, 14) + capability sys_rawio, + + # To allow users to mount volumes + # Error mounting /dev/sd*: GDBus.Error:org.freedesktop.UDisks2.Error.Failed: + # Error mounting /dev/sd* at /media/*/*: Operation not permitted. + capability sys_admin, + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/umount rix, + + /{usr/,}bin/eject rPx, + /{usr/,}sbin/dumpe2fs rPx, + /{usr/,}sbin/dmidecode rPx, + + /{usr/,}sbin/lvm rPUx, + + /{usr/,}bin/systemctl rPx -> child-systemctl, + + /{usr/,}bin/systemd-escape rCx -> systemd-escape, + + # Allow mounting of removable devices + mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/sd[a-z] -> /media/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/sd[a-z][0-9]* -> /media/*/*/, + # Allow mounting of loop devices (ISO files) + mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]* -> /media/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]*p[0-9]* -> /media/*/*/, + # Allow mounting of cdrom + mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]* -> /media/cdrom[0-9]/, + mount fstype={iso9660,udf} /dev/sr[0-9]* -> /media/cdrom[0-9]/, + # Allow mounting od sd cards + mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/mmcblk[0-9] -> /media/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/mmcblk[0-9]*p[0-9]* -> /media/*/*/, + # Allow unmounting + umount /media/*/, + umount /media/*/*/, + umount /media/cdrom[0-9]/, + + # Be able to create/delete dirs for removable media + /media/*/ rw, + /media/*/*/ rw, + /media/cdrom[0-9]/ rw, + + # Udisks2 config files + /etc/udisks2/ r, + /etc/udisks2/udisks2.conf r, + + # For mounting NTFS disks + capability setuid, + capability setgid, + /{usr/,}bin/ntfs-3g rPx, + + /etc/libblockdev/conf.d/ r, + /etc/libblockdev/conf.d/[0-9][0-9]-default.cfg r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/swaps r, + @{PROC}/devices r, + + # To be able to initialize device-mapper disk devices + /dev/mapper/control rw, + + # The special /dev/loop-control file can be used to create and destroy loop devices or to find + # the first available loop device. + /dev/loop-control rw, + + # To check whether the x-udisks-auth option was used to specify that additional authorization is + # required to mount/unlock a device + /etc/fstab r, + /etc/crypttab r, + + # To be able to operate on encryted devices + /{var/,}run/cryptsetup/ r, + /{var/,}run/cryptsetup/L* rwk, + + @{sys}/fs/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + + @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w, + + # For powering off USB devices + @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw, + + @{sys}/devices/virtual/bdi/**/read_ahead_kb r, + + /{var/,}run/ r, + + # Info on mounted devices + /{var/,}run/mount/utab{,.*} rw, + /{var/,}run/mount/utab.lock rwk, + /var/lib/udisks2/mounted-fs{,*} rw, + + /{var/,}run/udisks2/ rw, + /{var/,}run/udisks2/loop{,.*} rw, + /{var/,}run/udisks2/unlocked-luks{,.*} rw, + /{var/,}run/udisks2/mounted-fs{,.*} rw, + + /{var/,}run/systemd/seats/seat[0-9]* r, + + + profile systemd-escape { + #include + + ptrace (read), + + /{usr/,}bin/systemd-escape mr, + + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/stat r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + /dev/kmsg w, + + } + + #include if exists +} diff --git a/apparmor.d/umount b/apparmor.d/umount new file mode 100644 index 00000000..84ac2f9a --- /dev/null +++ b/apparmor.d/umount @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/umount +profile umount @{exec_path} flags=(complain) { + #include + + # To be able to umount anything + # umount2("/mnt", 0) = -1 EPERM (Operation not permitted) + # + # umount: /mnt: must be superuser to unmount. + capability sys_admin, + + capability setuid, + capability setgid, + + umount, + + @{exec_path} mr, + + # Mount points + /media/*/ r, + /media/*/*/ r, + /mnt/ r, + /mnt/*/ r, + /media/cdrom[0-9]/ r, + + /etc/mtab r, + /etc/fstab r, + + owner @{PROC}/@{pid}/mountinfo r, + + @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, + + owner /{,var/}run/mount/ rw, + owner /{,var/}run/mount/utab{,.*} rw, + owner /{,var/}run/mount/utab.lock wk, + + #include if exists +} diff --git a/apparmor.d/uname b/apparmor.d/uname new file mode 100644 index 00000000..2cfc9405 --- /dev/null +++ b/apparmor.d/uname @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/uname +profile uname @{exec_path} { + #include + #include + + @{exec_path} mr, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/unhide-linux b/apparmor.d/unhide-linux new file mode 100644 index 00000000..7069dacb --- /dev/null +++ b/apparmor.d/unhide-linux @@ -0,0 +1,44 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/unhide{,-linux} +profile unhide-linux @{exec_path} { + #include + + capability kill, + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/ps rix, + + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/ r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/osrelease r, + + #include if exists +} diff --git a/apparmor.d/unhide-posix b/apparmor.d/unhide-posix new file mode 100644 index 00000000..fc2f6057 --- /dev/null +++ b/apparmor.d/unhide-posix @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/unhide-posix +profile unhide-posix @{exec_path} { + #include + #include + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/ps rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/{,e}grep rix, + + @{PROC}/ r, + @{PROC}/uptime r, + #@{PROC}/@{pids}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/task/ r, + #@{PROC}/@{pids}/task/@{tid}/ r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, + + #include if exists +} diff --git a/apparmor.d/unhide-rb b/apparmor.d/unhide-rb new file mode 100644 index 00000000..8ca7c545 --- /dev/null +++ b/apparmor.d/unhide-rb @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/unhide_rb +profile unhide-rb @{exec_path} { + #include + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pids}/task/ r, + + + #include if exists +} diff --git a/apparmor.d/unhide-tcp b/apparmor.d/unhide-tcp new file mode 100644 index 00000000..addc0cf9 --- /dev/null +++ b/apparmor.d/unhide-tcp @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/unhide-tcp +profile unhide-tcp @{exec_path} { + #include + + capability net_bind_service, + capability syslog, + + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/ss rix, + /{usr/,}bin/netstat rix, + /{usr/,}bin/fuser rix, + + @{PROC}/@{pids}/net/tcp{,6} r, + @{PROC}/@{pids}/net/udp{,6} r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/maps r, + + # For logs + /**/unhide-tcp_[0-9]*-[0-9]*-[0-9]*.log w, + + #include if exists +} diff --git a/apparmor.d/unix-chkpwd b/apparmor.d/unix-chkpwd new file mode 100644 index 00000000..5e2542c9 --- /dev/null +++ b/apparmor.d/unix-chkpwd @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/unix_chkpwd +profile unix-chkpwd @{exec_path} { + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + @{exec_path} mr, + + /etc/shadow r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/unmkinitramfs b/apparmor.d/unmkinitramfs new file mode 100644 index 00000000..04e4e2ef --- /dev/null +++ b/apparmor.d/unmkinitramfs @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/unmkinitramfs +profile unmkinitramfs @{exec_path} { + #include + + # To avoid the following error: + # cpio: etc/console-setup/null: Cannot mknod: Operation not permitted + capability mknod, + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/cat rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/xzcat rix, + /{usr/,}bin/lz4cat rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/lzop rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/cpio rix, + + owner /boot/initrd.img-* r, + owner /tmp/initrd.img-* r, + owner /mnt/initrd.img-* r, + owner /mnt/boot/initrd.img-* r, + + # To extract the content of the initrd image + owner /tmp/** rwl -> /tmp/**, + + /var/tmp/ r, + owner /var/tmp/unmkinitramfs_* rw, + + #include if exists +} diff --git a/apparmor.d/update-alternatives b/apparmor.d/update-alternatives new file mode 100644 index 00000000..3c4d3568 --- /dev/null +++ b/apparmor.d/update-alternatives @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/update-alternatives +profile update-alternatives @{exec_path} { + #include + #include + + @{exec_path} mr, + + /var/log/alternatives.log w, + + /etc/alternatives/* rw, + + /var/lib/dpkg/alternatives/ r, + /var/lib/dpkg/alternatives/* rw, + + /{usr/,}bin/* w, + /{usr/,}bin/*.dpkg-tmp rw, + + /{usr/,}sbin/* w, + /{usr/,}sbin/*.dpkg-tmp rw, + + /usr/** rw, + + #include if exists +} diff --git a/apparmor.d/update-apt-xapian-index b/apparmor.d/update-apt-xapian-index new file mode 100644 index 00000000..3dbec032 --- /dev/null +++ b/apparmor.d/update-apt-xapian-index @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/update-apt-xapian-index +profile update-apt-xapian-index @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}sbin/ r, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /usr/share/apt-xapian-index/{,**} r, + + /var/cache/apt-xapian-index/ rw, + /var/cache/apt-xapian-index/** rwk, + + /var/lib/apt-xapian-index/ rw, + /var/lib/apt-xapian-index/* rwk, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + owner @{PROC}/@{pid}/fd/ r, + + /var/lib/debtags/package-tags r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} + diff --git a/apparmor.d/update-ca-certificates b/apparmor.d/update-ca-certificates new file mode 100644 index 00000000..581c6848 --- /dev/null +++ b/apparmor.d/update-ca-certificates @@ -0,0 +1,105 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/update-ca-certificates +profile update-ca-certificates @{exec_path} { + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/find rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/test rix, + + /{usr/,}bin/openssl rix, + + /etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore, + /{usr/,}bin/run-parts rCx -> run-parts, + + /etc/ca-certificates.conf r, + /etc/ssl/certs/ca-certificates.crt rw, + /etc/ssl/certs/*.pem rw, + /etc/ssl/certs/[0-9a-f]*.[0-9] rw, + + /{usr/,}lib/locale/locale-archive r, + + owner /tmp/ca-certificates{,.crt}.tmp.* rw, + + @{PROC}/filesystems r, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/ca-certificates/update.d/ r, + + # file_inherit + owner /dev/pts/[0-9]* rw, + + } + + profile jks-keystore { + #include + #include + #include + + /etc/ca-certificates/update.d/jks-keystore mr, + + /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/head rix, + /{usr/,}bin/mountpoint rix, + /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /usr/share/ca-certificates-java/ca-certificates-java.jar r, + /usr/share/java/java-atk-wrapper.jar r, + + /etc/default/cacerts r, + /etc/ssl/certs/java/cacerts rw, + + /etc/java-[0-9]*-openjdk/{,**} r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + @{sys}/fs/cgroup/** r, + + owner /tmp/hsperfdata_root/ rw, + owner /tmp/hsperfdata_root/[0-9]*[0-9] rw, + + # file_inherit + owner /dev/pts/[0-9]* rw, + + } + + #include if exists +} diff --git a/apparmor.d/update-command-not-found b/apparmor.d/update-command-not-found new file mode 100644 index 00000000..c01b1533 --- /dev/null +++ b/apparmor.d/update-command-not-found @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/share/command-not-found/cnf-update-db +@{exec_path} += /{usr/,}sbin/update-command-not-found +profile update-command-not-found @{exec_path} { + #include + #include + #include + + #capability sys_tty_config, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}lib/apt/apt-helper rix, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /var/lib/command-not-found/ r, + /var/lib/command-not-found/commands.db* rwk, + + /usr/share/command-not-found/{,**} r, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + + /var/lib/apt/lists/ r, + /var/lib/apt/lists/*_Contents-* r, + + owner @{PROC}/@{pid}/fd/ r, + + # file_inherit + /var/log/cron-apt/temp w, + + #include if exists +} diff --git a/apparmor.d/update-desktop-database b/apparmor.d/update-desktop-database new file mode 100644 index 00000000..1e21e7ca --- /dev/null +++ b/apparmor.d/update-desktop-database @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/update-desktop-database +profile update-desktop-database @{exec_path} { + #include + #include + + @{exec_path} mr, + + /usr/share/applications/{,**/} r, + /usr/share/applications/**.desktop r, + /usr/share/applications/.mimeinfo.cache.* rw, + /usr/share/applications/mimeinfo.cache w, + + /usr/share/*/*.desktop r, + + #include if exists +} diff --git a/apparmor.d/update-dlocatedb b/apparmor.d/update-dlocatedb new file mode 100644 index 00000000..e3118b77 --- /dev/null +++ b/apparmor.d/update-dlocatedb @@ -0,0 +1,67 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/update-dlocatedb +profile update-dlocatedb @{exec_path} { + #include + #include + + @{exec_path} mr, + /{usr/,}bin/dash rix, + + /{usr/,}bin/cat rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/uniq rix, + + /{usr/,}bin/ionice rix, + + /usr/share/dlocate/updatedb rCx -> updatedb, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + owner @{PROC}/@{pid}/fd/2 w, + + /var/lib/dlocate/dpkg-list w, + + + profile updatedb { + #include + #include + + /usr/share/dlocate/updatedb r, + /{usr/,}bin/perl r, + + /etc/default/dlocate r, + + /var/lib/dlocate/ r, + /var/lib/dlocate/dlocatedb rw, + /var/lib/dlocate/dlocatedb.stamps{,.new} rw, + /var/lib/dlocate/dlocatedb.{new,old} rw, + link /var/lib/dlocate/dlocatedb.old -> /var/lib/dlocate/dlocatedb, + + /var/lib/dpkg/diversions r, + + /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.list r, + + # For compression + /{usr/,}bin/gzip rix, + /var/lib/dlocate/dlocatedb.gz rw, + + } + + #include if exists +} diff --git a/apparmor.d/update-initramfs b/apparmor.d/update-initramfs new file mode 100644 index 00000000..07ec1c35 --- /dev/null +++ b/apparmor.d/update-initramfs @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/update-initramfs +profile update-initramfs @{exec_path} { + #include + #include + + @{exec_path} rix, + /{usr/,}bin/dash r, + + /{usr/,}bin/getopt rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sha1sum rix, + /{usr/,}bin/sync rix, + /{usr/,}bin/uname rix, + + /{usr/,}bin/dpkg-trigger rPx, + /{usr/,}bin/linux-version rPx, + /{usr/,}sbin/mkinitramfs rPx, + + /var/lib/initramfs-tools/* w, + + /etc/initramfs-tools/update-initramfs.conf r, + + @{PROC}/1/mountinfo r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + owner /boot/ r, + owner /boot/initrd.img-* rw, + owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, + + #include if exists +} diff --git a/apparmor.d/update-pciids b/apparmor.d/update-pciids new file mode 100644 index 00000000..0c1e4136 --- /dev/null +++ b/apparmor.d/update-pciids @@ -0,0 +1,69 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/update-pciids +profile update-pciids @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/touch rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/zgrep rix, + + /{usr/,}bin/wget rCx -> browse, + /{usr/,}bin/curl rCx -> browse, + /{usr/,}bin/lynx rCx -> browse, + + /usr/share/misc/ r, + /usr/share/misc/pci.ids* rw, + link /usr/share/misc/pci.ids.gz.old -> /usr/share/misc/pci.ids.gz, + link /usr/share/misc/pci.ids.old -> /usr/share/misc/pci.ids, + + + profile browse { + #include + #include + #include + #include + + /{usr/,}bin/wget mr, + /{usr/,}bin/curl mr, + /{usr/,}bin/lynx mr, + + /etc/wgetrc r, + owner @{HOME}/.wget-hsts rwk, + + /usr/share/misc/pci.ids.new w, + /usr/share/misc/pci.ids.gz.new w, + + } + + #include if exists +} diff --git a/apparmor.d/update-smart-drivedb b/apparmor.d/update-smart-drivedb new file mode 100644 index 00000000..55f2a80c --- /dev/null +++ b/apparmor.d/update-smart-drivedb @@ -0,0 +1,89 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/update-smart-drivedb +profile update-smart-drivedb @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash r, + + /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cmp rix, + + /{usr/,}sbin/smartctl rPx, + + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/wget rCx -> browse, + /{usr/,}bin/curl rCx -> browse, + /{usr/,}bin/lynx rCx -> browse, + + /var/lib/smartmontools/drivedb/drivedb.h{,.*} rw, + + owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/{,**} rw, + + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + + /{usr/,}bin/gpg-agent rix, + + owner @{PROC}/@{pid}/fd/ r, + + /var/lib/smartmontools/drivedb/drivedb.h.new.raw{,.asc} r, + + owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/ rw, + owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/**, + + } + + profile browse { + #include + #include + #include + #include + + /{usr/,}bin/wget mr, + /{usr/,}bin/curl mr, + /{usr/,}bin/lynx mr, + + /{usr/,}bin/dash rix, + + /etc/mime.types r, + /etc/mailcap r, + + /etc/lynx/* r, + /etc/wgetrc r, + owner @{HOME}/.wget-hsts rwk, + + /usr/share/publicsuffix/public_suffix_list.* r, + + /var/lib/smartmontools/drivedb/drivedb.h.new{,.raw.asc} w, + + } + + #include if exists +} diff --git a/apparmor.d/updatedb-mlocate b/apparmor.d/updatedb-mlocate new file mode 100644 index 00000000..83e29fef --- /dev/null +++ b/apparmor.d/updatedb-mlocate @@ -0,0 +1,70 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/updatedb.mlocate +profile updatedb-mlocate @{exec_path} { + #include + #include + + capability dac_read_search, + capability fowner, + capability chown, + capability fsetid, + + @{exec_path} mr, + + /{usr/,}sbin/on_ac_power rPx, + + / r, + /boot/ r, + /boot/**/ r, + + /home/ r, + @{HOME}/ r, + @{HOME}/**/ r, + + /etc/ r, + /etc/**/ r, + + /usr/ r, + /usr/**/ r, + + /var/ r, + /var/**/ r, + + /opt/ r, + /opt/**/ r, + + /srv/ r, + /srv/**/ r, + + # Silence the noise + deny /efi/ r, + deny /hugepages/ r, + deny /lost+found/ r, + deny /mnt/ r, + + /{var/,}run/mlocate.daily.lock r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /var/lib/mlocate/mlocate.db rwk, + /var/lib/mlocate/mlocate.db.* rw, + + /etc/updatedb.conf r, + + #include if exists +} diff --git a/apparmor.d/upower b/apparmor.d/upower new file mode 100644 index 00000000..eb77816e --- /dev/null +++ b/apparmor.d/upower @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/upower +profile upower @{exec_path} { + #include + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/upowerd b/apparmor.d/upowerd new file mode 100644 index 00000000..bedd9963 --- /dev/null +++ b/apparmor.d/upowerd @@ -0,0 +1,60 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd +profile upowerd @{exec_path} { + #include + + @{exec_path} mr, + + # UPower config file + /etc/UPower/UPower.conf r, + + # The history data for the power device + /var/lib/upower/history-*.dat{,.*} rw, + + # Are all of these needed? (#FIXME#) + /dev/bus/usb/ r, + /dev/input/event* r, + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/bus/hid/devices/ r, + @{sys}/class/ r, + @{sys}/class/leds/ r, + @{sys}/class/power_supply/ r, + @{sys}/class/input/ r, + @{sys}/devices/ r, + @{sys}/devices/**/power_supply/**/* r, + @{sys}/devices/**/uevent r, + @{sys}/devices/**/capabilities/* r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum,speed,descriptors} r, + @{sys}/devices/virtual/dmi/id/product_name r, + + @{sys}/devices/platform/**/leds/**/max_brightness r, + @{sys}/devices/platform/**/leds/**/brightness rw, + @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, + + /{,var/}run/udev/data/ r, + /{,var/}run/udev/data/+power_supply* r, + /{,var/}run/udev/data/+input* r, + /{,var/}run/udev/data/+usb* r, + /{,var/}run/udev/data/+hid* r, + /{,var/}run/udev/data/c13:[0-9]* r, # for /dev/input/* + /{,var/}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + + /{,var/}run/systemd/inhibit/[0-9]*.ref rw, + + #include if exists +} diff --git a/apparmor.d/uptime b/apparmor.d/uptime new file mode 100644 index 00000000..59bcd59a --- /dev/null +++ b/apparmor.d/uptime @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/uptime +profile uptime @{exec_path} { + #include + #include + + @{exec_path} mr, + + @{PROC}/uptime r, + @{PROC}/loadavg r, + @{PROC}/sys/kernel/osrelease r, + + #include if exists +} diff --git a/apparmor.d/usb-devices b/apparmor.d/usb-devices new file mode 100644 index 00000000..6305a53b --- /dev/null +++ b/apparmor.d/usb-devices @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/usb-devices +profile usb-devices @{exec_path} { + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/readlink rix, + + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r, + + #include if exists +} diff --git a/apparmor.d/usbguard b/apparmor.d/usbguard new file mode 100644 index 00000000..ca3126c6 --- /dev/null +++ b/apparmor.d/usbguard @@ -0,0 +1,37 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/usbguard +profile usbguard @{exec_path} { + #include + #include + + @{exec_path} mr, + + /etc/usbguard/*.conf rw, + /etc/usbguard/IPCAccessControl.d/{,*} rw, + + /dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw, + /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw, + + # For "usbguard generate-policy" + @{sys}/bus/usb/devices/{,**} r, + @{sys}/devices/pci[0-9]*/**/uevent rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{authorized_default,authorized,remove} rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r, + + #include if exists +} diff --git a/apparmor.d/usbguard-applet-qt b/apparmor.d/usbguard-applet-qt new file mode 100644 index 00000000..916df51e --- /dev/null +++ b/apparmor.d/usbguard-applet-qt @@ -0,0 +1,58 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/usbguard-applet-qt +profile usbguard-applet-qt @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # Needed? + ptrace (read), + + @{exec_path} mr, + + owner @{HOME}/.config/USBGuard/ rw, + owner @{HOME}/.config/USBGuard/* rwkl -> @{HOME}/.config/USBGuard/#[0-9]*[0-9], + + /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw, + /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw, + + owner /{,var/}run/user/[0-9]*/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw, + + owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/core_pattern r, + + /usr/share/hwdata/pnp.ids r, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + #include if exists +} diff --git a/apparmor.d/usbguard-daemon b/apparmor.d/usbguard-daemon new file mode 100644 index 00000000..072faa16 --- /dev/null +++ b/apparmor.d/usbguard-daemon @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/usbguard-daemon +profile usbguard-daemon @{exec_path} { + #include + #include + + # Needed? (##FIXME##) + #capability chown, + #capability fowner, + + @{exec_path} mr, + + /etc/usbguard/*.conf rw, + /etc/usbguard/IPCAccessControl.d/{,*} r, + + owner /{,var/}run/usbguard.pid rwk, + + /var/log/usbguard/usbguard-audit.log rw, + + /dev/shm/ r, + /dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw, + /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/ rw, + /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw, + + @{sys}/bus/usb/devices/{,**} r, + @{sys}/devices/pci[0-9]*/**/uevent rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{authorized_default,authorized,remove} rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r, + + #include if exists +} diff --git a/apparmor.d/usbguard-dbus b/apparmor.d/usbguard-dbus new file mode 100644 index 00000000..8fd8fb74 --- /dev/null +++ b/apparmor.d/usbguard-dbus @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/usbguard-dbus +profile usbguard-dbus @{exec_path} { + #include + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + /dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw, + /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw, + + #include if exists +} diff --git a/apparmor.d/uscan b/apparmor.d/uscan new file mode 100644 index 00000000..053ae619 --- /dev/null +++ b/apparmor.d/uscan @@ -0,0 +1,77 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/uscan +profile uscan @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/bash rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/find rix, + /{usr/,}bin/file rix, + + /{usr/,}bin/tar rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/bzip2 rix, + + /{usr/,}bin/uupdate rPUx, + + # To run custom maintainer scripts + owner @{BUILD_DIR}/**/debian/* rPUx, + + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgv rCx -> gpg, + + /etc/dpkg/origins/debian r, + + /etc/devscripts.conf r, + /etc/magic r, + + # For package building + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + + # For GPG keys + owner /tmp/*/ rw, + owner /tmp/*/trustedkeys.gpg w, + + profile gpg { + #include + + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgv mr, + + owner @{HOME}/.gnupg/gpg.conf r, + owner @{HOME}/.gnupg/pubring.{gpg,kbx} r, + + owner /tmp/*/trustedkeys.gpg rw, + + owner @{BUILD_DIR}/**/debian/upstream/signing-key.asc r, + owner @{BUILD_DIR}/**/*.tar.* r, + + } + + #include if exists +} diff --git a/apparmor.d/useradd b/apparmor.d/useradd new file mode 100644 index 00000000..e2142898 --- /dev/null +++ b/apparmor.d/useradd @@ -0,0 +1,93 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/useradd +profile useradd @{exec_path} { + #include + #include + #include + + # To create a user home dir and give it proper permissions: + # mkdir("/home/user", 000) = 0 + # chown("/home/user", 0, 0) = 0 + # chmod("/home/user", 0755) = 0 + # chown("/home/user/", 1001, 1001) = 0 + # chmod("/home/user/", 0755) = 0 + capability chown, + capability fowner, + + # To set the set-group-ID bit for the user home dir. + capability fsetid, + + # To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different + # owner. + capability dac_read_search, + capability dac_override, + + # To write records to the kernel auditing log. + capability audit_write, + + @{exec_path} mr, + + /{usr/,}bin/usermod rPx, + + /{usr/,}sbin/pam_tally2 rCx -> pam_tally2, + + /etc/login.defs r, + + /etc/default/useradd r, + + /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, + /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, + /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, + /etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw, + + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/shadow.lock wl -> /etc/shadow.@{pid}, + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + /etc/subuid.lock wl -> /etc/subuid.@{pid}, + /etc/subgid.lock wl -> /etc/subgid.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + /var/log/faillog rw, + /var/log/lastlog rw, + + # To create user dirs + @{HOME}/ rw, + + # To copy files from /etc/skel/ to user dirs + @{HOME}/.* w, + /etc/skel/{,.*} r, + + + profile pam_tally2 { + #include + #include + #include + + capability audit_write, + + /{usr/,}sbin/pam_tally2 mr, + + /var/log/tallylog rw, + + } + + #include if exists +} diff --git a/apparmor.d/userdel b/apparmor.d/userdel new file mode 100644 index 00000000..bcad77df --- /dev/null +++ b/apparmor.d/userdel @@ -0,0 +1,70 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/userdel +profile userdel @{exec_path} flags=(attach_disconnected) { + #include + #include + #include + + # The userdel command is issued as root and its task is to delete regular user accounts. It + # optionally can remove user files (via --remove). Because of that, the userdel command needs the + # following CAPs to be able to do so. + capability dac_read_search, + capability dac_override, + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/ dir). + capability chown, + capability fsetid, + + # To prevent removing a user when it's used by some process. + capability sys_ptrace, + ptrace (read), + + @{exec_path} mr, + + /etc/login.defs r, + + @{PROC}/ r, + @{PROC}/@{pids}/task/ r, + + /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, + /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, + /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, + /etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw, + + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/shadow.lock wl -> /etc/shadow.@{pid}, + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + /etc/subuid.lock wl -> /etc/subuid.@{pid}, + /etc/subgid.lock wl -> /etc/subgid.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + # To remove user home files + @{HOME}/ rw, + @{HOME}/** w, + + # To remove user mail + /var/mail/* w, + + #include if exists +} diff --git a/apparmor.d/usermod b/apparmor.d/usermod new file mode 100644 index 00000000..36398914 --- /dev/null +++ b/apparmor.d/usermod @@ -0,0 +1,68 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/usermod +profile usermod @{exec_path} flags=(attach_disconnected) { + #include + #include + #include + + # To write records to the kernel auditing log. + capability audit_write, + + # To set the right permission to the files in the /etc/ dir. + capability chown, + capability fsetid, + + # To read user home files and change their user/group. + # usermod: Failed to change ownership of the home directory + capability dac_read_search, + + # To move user home files to a new location. + capability fowner, + + # To prevent removing a user when it's used by some process. + capability sys_ptrace, + ptrace (read), + + @{exec_path} mr, + + /etc/login.defs r, + + /etc/{passwd,shadow,gshadow,group} rw, + /etc/{passwd,shadow,gshadow,group}.@{pid} w, + /etc/{passwd,shadow,gshadow,group}- w, + /etc/{passwd,shadow,gshadow,group}+ rw, + + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/shadow.lock wl -> /etc/shadow.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + /etc/subuid r, + + @{PROC}/ r, + @{PROC}/@{pids}/task/ r, + + # To create and move user dirs + @{HOME}/{,**} rw, + /var/{,**} rw, + + #include if exists +} diff --git a/apparmor.d/usr.bin.irssi b/apparmor.d/usr.bin.irssi new file mode 100644 index 00000000..b310e976 --- /dev/null +++ b/apparmor.d/usr.bin.irssi @@ -0,0 +1,53 @@ +# Author: Jamie Strandboge +# For use with irssi within screen +#include + +profile irssi /usr/bin/irssi flags=(complain) { + #include + #include + #include + #include + + /usr/share/irssi/themes/*.theme r, + /usr/share/irssi/help/* r, + # Enable system wide scripts + /usr/share/irssi/scripts/* r, + /usr/share/ca-certificates/** r, + @{PROC}/uptime r, + /{usr/,}bin/dash ix, + + # for screen_away + #include + /usr/bin/screen ix, + owner /{,var/}run/screen/** r, + owner /{,var/}run/screen/S-[a-zA-Z0-9]*/[0-9]*[0-9] w, + @{PROC}/[0-9]*/stat r, + + # for /uptime + /usr/bin/gawk ix, + /usr/bin/expr ix, + /{usr/,}bin/date ix, + + # for /calc + /usr/bin/bc ix, + /{usr/,}bin/which ixr, + + # config files, etc + /etc/irssi.conf r, + owner @{HOME}/.irssi/ r, + owner @{HOME}/.irssi/** r, + owner @{HOME}/.irssi/away.log wk, + owner @{HOME}/.irssi/config{,.autosave} wk, + owner @{HOME}/.irssi/*.theme wk, + + # http://www.irssi.org/documentation/startup states that ~/irclogs is the + # default location for logs. + owner @{HOME}/irclogs/ r, + owner @{HOME}/irclogs/** rwk, + + # for fnotify + owner @{HOME}/.irssi/fnotify rwk, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.bin.lxc-start b/apparmor.d/usr.bin.lxc-start new file mode 100644 index 00000000..2f289627 --- /dev/null +++ b/apparmor.d/usr.bin.lxc-start @@ -0,0 +1,5 @@ +#include + +profile lxc-start /usr/bin/lxc-start flags=(attach_disconnected) { + #include +} diff --git a/apparmor.d/usr.bin.man b/apparmor.d/usr.bin.man new file mode 100644 index 00000000..b6cd0be6 --- /dev/null +++ b/apparmor.d/usr.bin.man @@ -0,0 +1,113 @@ +# vim:syntax=apparmor + +#include + +/usr/bin/man { + #include + + # Use a special profile when man calls anything groff-related. We only + # include the programs that actually parse input data in a non-trivial + # way, not wrappers such as groff and nroff, since the latter would need a + # broader profile. + /usr/bin/eqn rmCx -> &man_groff, + /usr/bin/grap rmCx -> &man_groff, + /usr/bin/pic rmCx -> &man_groff, + /usr/bin/preconv rmCx -> &man_groff, + /usr/bin/refer rmCx -> &man_groff, + /usr/bin/tbl rmCx -> &man_groff, + /usr/bin/troff rmCx -> &man_groff, + /usr/bin/vgrind rmCx -> &man_groff, + + # Similarly, use a special profile when man calls decompressors and other + # simple filters. + /{,usr/}bin/bzip2 rmCx -> &man_filter, + /{,usr/}bin/gzip rmCx -> &man_filter, + /usr/bin/col rmCx -> &man_filter, + /usr/bin/compress rmCx -> &man_filter, + /usr/bin/iconv rmCx -> &man_filter, + /usr/bin/lzip.lzip rmCx -> &man_filter, + /usr/bin/tr rmCx -> &man_filter, + /usr/bin/xz rmCx -> &man_filter, + + # Allow basically anything in terms of file system access, subject to DAC. + # The purpose of this profile isn't to confine man itself (that might be + # nice in the future, but is tricky since it's quite configurable), but to + # confine the processes it calls that parse untrusted data. + /** mrixwlk, + unix, + + capability setuid, + capability setgid, + + # Ordinary permission checks sometimes involve checking whether the + # process has this capability, which can produce audit log messages. + # Silence them. + deny capability dac_override, + deny capability dac_read_search, + + signal peer=@{profile_name}, + signal peer=/usr/bin/man//&man_groff, + signal peer=/usr/bin/man//&man_filter, + + # Site-specific additions and overrides. See local/README for details. + #include +} + +profile man_groff { + #include + # Recent kernels revalidate open FDs, and there are often some still + # open on TTYs. This is temporary until man learns to close irrelevant + # open FDs before execve. + #include + # man always runs its groff pipeline with the input file open on stdin, + # so we can skip . + + /usr/bin/eqn rm, + /usr/bin/grap rm, + /usr/bin/pic rm, + /usr/bin/preconv rm, + /usr/bin/refer rm, + /usr/bin/tbl rm, + /usr/bin/troff rm, + /usr/bin/vgrind rm, + + /etc/groff/** r, + /etc/papersize r, + /usr/lib/groff/site-tmac/** r, + /usr/share/groff/** r, + + /tmp/groff* rw, + + signal peer=/usr/bin/man, + # @{profile_name} doesn't seem to work here. + signal peer=/usr/bin/man//&man_groff, +} + +profile man_filter { + #include + # Recent kernels revalidate open FDs, and there are often some still + # open on TTYs. This is temporary until man learns to close irrelevant + # open FDs before execve. + #include + + /{,usr/}bin/bzip2 rm, + /{,usr/}bin/gzip rm, + /usr/bin/col rm, + /usr/bin/compress rm, + /usr/bin/iconv rm, + /usr/bin/lzip.lzip rm, + /usr/bin/tr rm, + /usr/bin/xz rm, + + # Manual pages can be more or less anywhere, especially with "man -l", and + # there's no harm in allowing wide read access here since the worst it can + # do is feed data to the invoking man process. + /** r, + + # Allow writing cat pages. + /var/cache/man/** w, + + signal peer=/usr/bin/man, + # @{profile_name} doesn't seem to work here. + signal peer=/usr/bin/man//&man_filter, +} diff --git a/apparmor.d/usr.bin.pidgin b/apparmor.d/usr.bin.pidgin new file mode 100644 index 00000000..c3ce8e14 --- /dev/null +++ b/apparmor.d/usr.bin.pidgin @@ -0,0 +1,89 @@ +# vim:syntax=apparmor + +#include + +/usr/bin/pidgin { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + dbus receive + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged,PropertiesChanged} + peer=(label=unconfined), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=state + peer=(label=unconfined), + + deny ptrace, + deny capability sys_ptrace, + deny @{HOME}/.local/share/applications/wine/ r, + + owner @{HOME}/.purple/ rw, + owner @{HOME}/.purple/** rwk, + owner @{HOME}/.purple/plugins/*.so m, + owner @{HOME}/.config/indicators/ rw, + owner @{HOME}/.config/indicators/** rw, + owner @{HOME}/.local/share/applications/ r, + + # Uncomment the two following lines if you want to allow Pidgin to update + # any DConf setting: + # owner @{HOME}/.{cache,config}/dconf/user rw, + # owner /{,var/}run/user/[0-9]*/dconf/user rwk, + + /{usr/,}bin/dash rix, + /{usr/,}bin/which rix, + + # NB: the preferred browser and proxy settings must be configured + # in the GNOME preferences: this profile does not allow running + # the corresponding external configuration applications. + /usr/bin/gconftool-2 rPix, + /usr/bin/gnome-open rmix, + /usr/bin/gsettings rix, + /usr/bin/gvfs-open rmix, + /usr/bin/pidgin r, + /usr/bin/xdg-open rmix, + + /etc/purple/prefs.xml r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /usr/lib/frei0r-1/*.so rm, + /usr/lib/@{multiarch}/libvisual-*/**.so rm, + /usr/lib/pidgin/*.so rm, + /usr/lib/purple*/*.so rm, + + # pidgin-blinklight plugin + /usr/lib/pidgin-blinklight/blinklight-fixperm rPix, + @{PROC}/acpi/ibm/light rwk, + + /usr/share/purple/ca-certs/ r, + /usr/share/purple/ca-certs/** r, + /usr/share/tcltk/** r, + /usr/share/themes/ r, + + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/fd/ r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.bin.totem b/apparmor.d/usr.bin.totem new file mode 100644 index 00000000..3b7913b1 --- /dev/null +++ b/apparmor.d/usr.bin.totem @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# Author: Jamie Strandboge + +#include + +/usr/bin/totem { + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=("kill") peer=unconfined, + + # Maybe in an abstraction? + /usr/include/**/pyconfig.h r, + + /usr/bin/totem r, + /usr/bin/totem-video-thumbnailer Pix, + /usr/bin/bwrap PUx, + /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix, + /dev/sr* r, + + # Help browser + /usr/bin/yelp Cx -> sanitized_helper, + /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix, + + # Quiet logs + deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w, + + # Allow read and write on almost anything in @{HOME}. Lenient, but + # private-files-strict is in effect. + #include + owner @{HOME}/[^.]* rw, + owner @{HOME}/[^.]*/** rw, + + # Allow usage of openat with O_TMPFILE + owner @{HOME}/#[0-9]*[0-9] m, + + owner /{,var/}run/user/*/dconf/user w, + owner /{,var/}run/user/*/at-spi2-*/ rw, + owner /{,var/}run/user/*/at-spi2-*/** rw, + + /sys/devices/pci[0-9]*/**/config r, + /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.bin.totem-previewers b/apparmor.d/usr.bin.totem-previewers new file mode 100644 index 00000000..7b861d0a --- /dev/null +++ b/apparmor.d/usr.bin.totem-previewers @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# Author: Jamie Strandboge + +#include + +/usr/bin/totem-video-thumbnailer flags=(attach_disconnected) { + #include + + # Probably needed due to this program being run with bwrap + @{HOMEDIRS} w, + owner @{HOME}/ w, + + # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in + # effect. + #include + owner @{HOME}/[^.]* rw, + owner @{HOME}/[^.]*/** rw, + + # Not needed by nautilus, but maybe other applications + owner /**.[pP][nN][gG] w, + owner /**.[jJ][pP]{,[eE]}[gG] w, + + /usr/bin/totem-video-thumbnailer rm, + + # Site-specific additions and overrides. See local/README for details. + #include +} + +/usr/bin/totem-audio-preview flags=(attach_disconnected) { + #include + #include + + # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in + # effect. + #include + owner @{HOME}/[^.]* rw, + owner @{HOME}/[^.]*/** rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.libreoffice.program.oosplash b/apparmor.d/usr.lib.libreoffice.program.oosplash new file mode 100644 index 00000000..565cb03c --- /dev/null +++ b/apparmor.d/usr.lib.libreoffice.program.oosplash @@ -0,0 +1,36 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# Copyright (C) 2018 Software in the Public Interest, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Author: Bryan Quigley +# Rene Engelhard +# +# ------------------------------------------------------------------ + +#include + +profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(complain) { + #include + #include + + /etc/libreoffice/ r, + /etc/libreoffice/** r, + /etc/passwd r, + /etc/nsswitch.conf r, + /run/nscd/passwd r, + /sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c + /usr/lib{,32,64}/ure/bin/javaldx rmpux, + /usr/share/libreoffice/program/* r, + /usr/lib/libreoffice/program/** r, + /usr/lib/libreoffice/program/soffice.bin rmpx, + /usr/lib/libreoffice/program/javaldx rmpux, + owner @{HOME}/.Xauthority r, + owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, + unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), + unix peer=(addr=@/tmp/.X11-unix/* label=unconfined), +} diff --git a/apparmor.d/usr.lib.libreoffice.program.senddoc b/apparmor.d/usr.lib.libreoffice.program.senddoc new file mode 100644 index 00000000..75ae73fe --- /dev/null +++ b/apparmor.d/usr.lib.libreoffice.program.senddoc @@ -0,0 +1,37 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# Copyright (C) 2017 Software in the Public Interest, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Authors: Bryan Quigley +# Rene Engelhard +# +# ------------------------------------------------------------------ + +#include + +profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc { + #include + + #include + + /{usr/,}bin/sh rmix, + /{usr/,}bin/bash rmix, + /{usr/,}bin/dash rmix, + /{usr/,}bin/sed rmix, + /usr/bin/dirname rmix, + /usr/bin/basename rmix, + /{usr/,}bin/grep rmix, + /{usr/,}bin/uname rmix, + /usr/bin/xdg-open rPUx, + /usr/bin/xdg-email rPUx, + /dev/null rw, + /usr/lib/libreoffice/program/uri-encode rmpux, + /usr/share/libreoffice/share/config/* r, + owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, +} + diff --git a/apparmor.d/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/usr.lib.libreoffice.program.soffice.bin new file mode 100644 index 00000000..5b33af2a --- /dev/null +++ b/apparmor.d/usr.lib.libreoffice.program.soffice.bin @@ -0,0 +1,271 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# Copyright (C) 2018 Software in the Public Interest, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Authors: Jonathan Davies +# Bryan Quigley +# Rene Engelhard +# +# ------------------------------------------------------------------ + +# This profile should enable the average LibreOffice user to get their +# work done while blocking some advanced usage +# Namely not tested and likely not working : embedded plugins, +# Using the LibreOffice SDK and other development tasks +# Everything else should be working + +#Defines all common supported file formats +#Some obscure ones we're excluded (mostly input) + +#Generic +#.txt +@{libreoffice_ext} = [tT][xX][tT] +#All the open document format +@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF] +#.xml and xsl +@{libreoffice_ext} += [xX][mMsS][lL] +#.pdf +@{libreoffice_ext} += [pP][dD][fF] +#Unified office format +@{libreoffice_ext} += [uU][oO][fFtTsSpP] +#(x)htm(l) +@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L} +#.epub +@{libreoffice_ext} += [eE][pP][uU][bB] +#.ps (printing to file) +@{libreoffice_ext} += [pP][sS] + +#Images +@{libreoffice_ext} += [jJ][pP][gG] +@{libreoffice_ext} += [jJ][pP][eE][gG] +@{libreoffice_ext} += [pP][nN][gG] +@{libreoffice_ext} += [sS][vV][gG] +@{libreoffice_ext} += [sS][vV][gG][zZ]99251 +@{libreoffice_ext} += [tT][iI][fF] +@{libreoffice_ext} += [tT][iI][fF][fF] + +#Writer +@{libreoffice_ext} += [dD][oO][cCtT]{,x,X} +@{libreoffice_ext} += [rR][tT][fF] + +#Calc +@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M} +@{libreoffice_ext} += [xX][lL][wW] +#.dif dbf +@{libreoffice_ext} += [dD][iIbB][fF] +#.tsv .csv +@{libreoffice_ext} += [cCtT][sS][vV] +@{libreoffice_ext} += [sS][lL][kK] + +#Impress/Draw +@{libreoffice_ext} += [pP][pP][tTsS]{,x,X} +@{libreoffice_ext} += [pP][oO][tT]{,m,M} +#Photoshop +@{libreoffice_ext} += [pP][sS][dD] + +#Math +@{libreoffice_ext} += [mM][mM][lL] + +@{libo_user_dirs} = @{HOME} /mnt /media + +#include + +profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) { + #include + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include +# GnuPG1 only... +# #include + #include + #include + + #include + + #include + #include + #include + + #List directories for file browser + / r, + /**/ r, + + owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own + owner @{libo_user_dirs}/**~lock.* rw, #lock file support + owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts + owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving + owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE + + # Settings + /etc/libreoffice/ r, + /etc/libreoffice/** r, + + /etc/cups/ppd/*.ppd r, + /etc/xml/catalog r, #exporting to .xhtml, for libxml2 + /proc/*/status r, + + owner @{HOME}/.config/libreoffice{,dev}/** rwk, + owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*, + owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*, + owner @{HOME}/.config/soffice.binrc.lock rwk, + owner @{HOME}/.cache/fontconfig/** rw, + owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work + + owner /{,var/}run/user/*/dconf/user rw, + owner @{HOME}/.config/dconf/user r, + + # allow schema to be read + /usr/share/glib-*/schemas/ r, + /usr/share/glib-*/schemas/** r, + + # bluetooth send to + network bluetooth, + + /{usr/,}bin/sh rmix, + /{usr/,}bin/bash rmix, + /{usr/,}bin/dash rmix, + /{usr/,}bin/rm rmix, #deleting /tmp/psp1534203998 (printing to file) + /usr/bin/bluetooth-sendto rmPUx, + /usr/bin/lpr rmPUx, + /usr/bin/paperconf rmix, + /usr/bin/gpgconf rmix, + /usr/bin/gpg rmCx -> gpg, + /usr/bin/gpgsm rmCx -> gpg, + /usr/bin/gpa rix, + /usr/bin/seahorse rix, + /usr/bin/kgpg rix, + /usr/bin/kleopatra rix, + + /dev/tty rw, + + /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx, + owner @{HOME}/.cache/gstreamer-???/** rw, + unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this + + /usr/lib{,32,64}/jvm/ r, + /usr/lib{,32,64}/jvm/** r, + /usr/lib{,32,64}/jvm/**/jre/bin/java mix, + /usr/lib{,32,64}/jvm/**/bin/java mix, + # should be included in the jvm/** above but there it is + # a symlink, so apparmor still doesn't allow it... + /etc/java-??-openjdk/security/java.security r, + /usr/lib/libreoffice/** rw, + /usr/lib/libreoffice/**.so m, + /usr/lib/libreoffice/program/soffice.bin mix, + /usr/lib/libreoffice/program/xpdfimport px, + /usr/lib/libreoffice/program/senddoc px, + /usr/bin/xdg-open rPUx, + + /usr/share/java/**.jar r, + /usr/share/hunspell/ r, + /usr/share/hunspell/** r, + /usr/share/hyphen/ r, + /usr/share/hyphen/** r, + /usr/share/mythes/ r, + /usr/share/mythes/** r, + /usr/share/liblangtag/ r, + /usr/share/liblangtag/** r, + /usr/share/libreoffice/ r, + /usr/share/libreoffice/** r, + /usr/share/yelp-xsl/xslt/mallard/** r, + /usr/share/libexttextcat/* r, + /usr/share/icu/** r, + /usr/share/locale-bundle/* r, + + /var/spool/libreoffice/ r, + /var/spool/libreoffice/** rw, + /var/cache/fontconfig/ rw, + + #Likely moving to abstractions in the future + owner @{HOME}/.icons/*/cursors/* r, + /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny? + /usr/share/*-fonts/conf.avail/*.conf r, + /usr/share/fonts-config/conf.avail/*.conf r, + /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery() + /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery() + @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId() + + #To avoid "Unable to create io-slave." for file dialog + owner /{,var/}run/user/[0-9]*/#[0-9]* rw, + #For KIO IO::Slave::createSlave() + owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl -> /{,var/}run/user/[0-9]*/#[0-9]*, + + owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox/*/secmod.db r, + # firefox < 58 + owner @{HOME}/.mozilla/firefox/*/cert8.db r, + # firefox >= 58 + owner @{HOME}/.mozilla/firefox/*/cert9.db r, + + owner @{HOME}/.local/share/user-places.xbel r, + + # there is abstractions/gnupg but that's just for gpg1... + profile gpg { + #include + + /usr/bin/gpgconf rm, + /usr/bin/gpg rm, + /usr/bin/gpgsm rm, + + owner @{HOME}/.gnupg/* r, + owner @{HOME}/.gnupg/random_seed rk, + } + + # probably should become a subprofile like gpg above, but then it doesn't + # work either as it tries to access stuff only allowed above... + owner @{HOME}/.config/kdeglobals r, + /usr/lib/libreoffice/program/lo_kde5filepicker rPUx, + /usr/share/qt5/translations/* r, + /usr/lib/*/qt5/plugins/** rm, + /usr/share/plasma/look-and-feel/**/contents/defaults r, + + # TODO: remove when rules are available in abstractions/kde + owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache + owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget + owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget + owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent() + owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so + owner @{HOME}/.config/trashrc r, # user by KFileWidget + /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent + + # TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar + owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader + + # TODO: remove when rules are available in abstractions/kdeframeworks5 or similar + /usr/share/kservices5/*.protocol r, + + # TODO: use qt5-settings-write abstraction when it is available + owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw, + owner @{HOME}/.config/QtProject.conf rw, + owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9], + owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb + owner @{HOME}/.config/QtProject.conf.lock rwk, + + # TODO: use qt5-compose-cache-write abstraction when it is available + owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, + + # TODO: use recent-documents-write abstraction when it is available + owner @{HOME}/.local/share/RecentDocuments/** r, + owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*, + owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw, + owner @{HOME}/.local/share/RecentDocuments/*.lock rwk, + + # TODO: use kde-globals-write abstraction when it is available + owner @{HOME}/.config/kdeglobals rw, + owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*, + owner @{HOME}/.config/kdeglobals.lock rwk, +} diff --git a/apparmor.d/usr.lib.libreoffice.program.xpdfimport b/apparmor.d/usr.lib.libreoffice.program.xpdfimport new file mode 100644 index 00000000..bdfc5572 --- /dev/null +++ b/apparmor.d/usr.lib.libreoffice.program.xpdfimport @@ -0,0 +1,31 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# Copyright (C) 2017 Software in the Public Interest, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Authors: Bryan Quigley +# Rene Engelhard +# +# ------------------------------------------------------------------ + +#include + +profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport { + #include + + #include + + /usr/share/poppler/** r, + /usr/share/libreoffice/share/config/* r, + owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, + + /usr/lib/libreoffice/program/xpdfimport pxm, + + #Uncomment for build testing (should be one directory <- of instdir) + #/mnt/store/git/libo/** r, +} + diff --git a/apparmor.d/usr.lib.libvirt.virt-aa-helper b/apparmor.d/usr.lib.libvirt.virt-aa-helper new file mode 100644 index 00000000..3eebc207 --- /dev/null +++ b/apparmor.d/usr.lib.libvirt.virt-aa-helper @@ -0,0 +1,74 @@ +#include + +profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper { + #include + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + network inet6, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + + # Used when internally running another command (namely apparmor_parser) + @{PROC}/@{pid}/fd/ r, + + /etc/libnl-3/classid r, + + # for gl enabled graphics + /dev/dri/{,*} r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + /sys/bus/usb/devices/ r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/drbd[0-9]* r, + deny /dev/dasd* r, + deny /dev/nvme* r, + deny /dev/zd[0-9]* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, + + /usr/lib/libvirt/virt-aa-helper mr, + /{usr/,}sbin/apparmor_parser Ux, + + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + /var/lib/nova/instances/_base/* r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r, + + /**.img r, + /**.raw r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.vhd r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.apt-cacher-ng b/apparmor.d/usr.sbin.apt-cacher-ng new file mode 100644 index 00000000..7d117735 --- /dev/null +++ b/apparmor.d/usr.sbin.apt-cacher-ng @@ -0,0 +1,33 @@ +# Author: Felix Geyer + +@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng + +#include + +profile apt-cacher-ng /usr/sbin/apt-cacher-ng { + #include + #include + #include + + /etc/apt-cacher-ng/ r, + /etc/apt-cacher-ng/** r, + /etc/hosts.{deny,allow} r, + + /var/lib/apt-cacher-ng/** r, + /{,var/}run/apt-cacher-ng/* rw, + @{APT_CACHER_NG_CACHE_DIR}/ r, + @{APT_CACHER_NG_CACHE_DIR}/** rw, + /var/log/apt-cacher-ng/ r, + /var/log/apt-cacher-ng/* rw, + /{,var/}run/systemd/notify w, + + /{usr/,}bin/dash ixr, + /{usr/,}bin/ed ixr, + /{usr/,}bin/red ixr, + /{usr/,}bin/sed ixr, + + /usr/lib/apt-cacher-ng/acngtool ixr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.avahi-daemon b/apparmor.d/usr.sbin.avahi-daemon new file mode 100644 index 00000000..62f56df7 --- /dev/null +++ b/apparmor.d/usr.sbin.avahi-daemon @@ -0,0 +1,33 @@ +#include +profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(complain) { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability kill, + capability setuid, + capability setgid, + capability sys_chroot, + + network netlink dgram, + + /etc/avahi/ r, + /etc/avahi/avahi-daemon.conf r, + /etc/avahi/hosts r, + /etc/avahi/services/ r, + /etc/avahi/services/*.service r, + @{PROC}/@{pid}/fd/ r, + /usr/{bin,sbin}/avahi-daemon mr, + /usr/share/avahi/introspection/*.introspect r, + /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, + /{,var/}run/avahi-daemon/ w, + /{,var/}run/avahi-daemon/pid krw, + /{,var/}run/avahi-daemon/socket w, + /{,var/}run/systemd/notify w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.cupsd b/apparmor.d/usr.sbin.cupsd new file mode 100644 index 00000000..9b8d0668 --- /dev/null +++ b/apparmor.d/usr.sbin.cupsd @@ -0,0 +1,217 @@ +# vim:syntax=apparmor +# Last Modified: Thu Aug 2 12:54:46 2007 +# Author: Martin Pitt + +#include + +/usr/sbin/cupsd flags=(attach_disconnected) { + #include + #include + #include + #include + #include + #include + #include + #include + + capability chown, + capability fowner, + capability fsetid, + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability audit_write, + capability wake_alarm, + deny capability block_suspend, + + # noisy + deny signal (send) set=("term") peer=unconfined, + + # nasty, but we limit file access pretty tightly, and cups chowns a + # lot of files to 'lp' which it cannot read/write afterwards any + # more + capability dac_override, + capability dac_read_search, + + # the bluetooth backend needs this + network bluetooth, + + # the dnssd backend uses those + network x25 seqpacket, + network ax25 dgram, + network netrom seqpacket, + network rose dgram, + network ipx dgram, + network appletalk dgram, + network econet dgram, + network ash dgram, + + /{usr/,}bin/bash ixr, + /{usr/,}bin/dash ixr, + /{usr/,}bin/hostname ixr, + /dev/lp* rw, + deny /dev/tty rw, # silence noise + /dev/ttyS* rw, + /dev/ttyUSB* rw, + /dev/usb/lp* rw, + /dev/bus/usb/ r, + /dev/bus/usb/** rw, + /dev/parport* rw, + /etc/cups/ rw, + /etc/cups/** rw, + /etc/cups/interfaces/* ixrw, + /etc/foomatic/* r, + /etc/gai.conf r, + /etc/papersize r, + /etc/pnm2ppa.conf r, + /etc/printcap rwl, + /etc/ssl/** r, + @{PROC}/net/ r, + @{PROC}/net/* r, + @{PROC}/sys/dev/parport/** r, + @{PROC}/*/net/ r, + @{PROC}/*/net/** r, + @{PROC}/*/auxv r, + @{PROC}/sys/crypto/** r, + /sys/** r, + /usr/bin/* ixr, + /usr/sbin/* ixr, + /{usr/,}bin/* ixr, + /{usr/,}sbin/* ixr, + /usr/lib/** rm, + + # backends which come with CUPS can be confined + /usr/lib/cups/backend/bluetooth ixr, + /usr/lib/cups/backend/dnssd ixr, + /usr/lib/cups/backend/http ixr, + /usr/lib/cups/backend/ipp ixr, + /usr/lib/cups/backend/lpd ixr, + /usr/lib/cups/backend/mdns ixr, + /usr/lib/cups/backend/parallel ixr, + /usr/lib/cups/backend/serial ixr, + /usr/lib/cups/backend/snmp ixr, + /usr/lib/cups/backend/socket ixr, + /usr/lib/cups/backend/usb ixr, + + # we treat cups-pdf specially, since it needs to write into /home + # and thus needs extra paranoia + /usr/lib/cups/backend/cups-pdf Px, + + # allow communicating with cups-pdf via Unix sockets + unix peer=(label=/usr/lib/cups/backend/cups-pdf), + + # third party backends get no restrictions as they often need high + # privileges and this is beyond our control + /usr/lib/cups/backend/* Cx -> third_party, + + /usr/lib/cups/cgi-bin/* ixr, + /usr/lib/cups/daemon/* ixr, + /usr/lib/cups/monitor/* ixr, + /usr/lib/cups/notifier/* ixr, + # filters and drivers (PPD generators) are always run as non-root, + # and there are a lot of third-party drivers which we cannot predict + /usr/lib/cups/filter/** Cxr -> third_party, + /usr/lib/cups/driver/* Cxr -> third_party, + /usr/local/** rm, + /usr/local/lib/cups/** rix, + /usr/share/** r, + /{,var/}run/** rm, + /{,var/}run/avahi-daemon/socket rw, + deny /{,var/}run/samba/ rw, + /{,var/}run/samba/** rw, + /var/cache/samba/*.tdb r, + /var/{cache,lib}/samba/printing/printers.tdb r, + /{,var/}run/cups/ rw, + /{,var/}run/cups/** rw, + /var/cache/cups/ rw, + /var/cache/cups/** rwk, + /var/log/cups/ rw, + /var/log/cups/* rw, + /var/spool/cups/ rw, + /var/spool/cups/** rw, + + # third-party printer drivers; no known structure here + /opt/** rix, + + # FIXME: no policy ATM for hplip and Brother drivers + /usr/bin/hpijs Cx -> third_party, + /usr/Brother/** Cx -> third_party, + + # Kerberos authentication + /etc/krb5.conf r, + deny /etc/krb5.conf w, + /etc/krb5.keytab rk, + /etc/cups/krb5.keytab rwk, + /tmp/krb5cc* k, + + # likewise authentication + /etc/likewise r, + /etc/likewise/* r, + + # silence noise + deny /etc/udev/udev.conf r, + + signal peer=/usr/sbin/cupsd//third_party, + unix peer=(label=/usr/sbin/cupsd//third_party), + profile third_party flags=(attach_disconnected) { + # third party backends, filters, and drivers get relatively no restrictions + # as they often need high privileges, are unpredictable or otherwise beyond + # our control + file, + capability, + audit deny capability mac_admin, + network, + dbus, + signal, + ptrace, + unix, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} + +# separate profile since this needs to write into /home +/usr/lib/cups/backend/cups-pdf { + #include + #include + #include + #include + + capability chown, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + # unfortunate, but required for when $HOME is 700 + capability dac_override, + capability dac_read_search, + + # allow communicating with cupsd via Unix sockets + unix peer=(label=/usr/sbin/cupsd), + + @{PROC}/*/auxv r, + + /{usr/,}bin/dash ixr, + /{usr/,}bin/bash ixr, + /{usr/,}bin/cp ixr, + /etc/papersize r, + /etc/cups/cups-pdf.conf r, + /etc/cups/ppd/*.ppd r, + /usr/bin/gs ixr, + /usr/lib/cups/backend/cups-pdf mr, + /usr/lib/ghostscript/** mr, + /usr/share/** r, + /var/log/cups/cups-pdf*_log w, + /var/spool/cups/** r, + /var/spool/cups-pdf/** rw, + + # allow read and write on almost anything in @{HOME} (lenient, but + # private-files-strict is in effect), to support customized "Out" + # setting in cups-pdf.conf (Debian#940578) + #include + @{HOME}/[^.]*/{,**/} rw, + @{HOME}/[^.]*/** rw, +} diff --git a/apparmor.d/usr.sbin.dnsmasq b/apparmor.d/usr.sbin.dnsmasq new file mode 100644 index 00000000..0e22eba8 --- /dev/null +++ b/apparmor.d/usr.sbin.dnsmasq @@ -0,0 +1,136 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 John Dong +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +@{TFTP_DIR}=/var/tftp /srv/tftpboot + +#include + +# This profile has the name "/usr/sbin/dnsmasq", but attaches to both /usr/bin/dnsmasq and /usr/sbin/dnsmasq. +# We are sorry for the confusion ;-) but this trick is needed to support distributions with merged bin and sbin +# while not breaking the libvirtd profile that has rules with peer=/usr/sbin/dnsmasq +# Future versions of AppArmor (> 2.13.x) will have "dnsmasq" as profile name. + +profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { + #include + #include + #include + + capability chown, + capability net_bind_service, + capability setgid, + capability setuid, + capability dac_override, + capability net_admin, # for DHCP server + capability net_raw, # for DHCP server ping checks + network inet raw, + network inet6 raw, + + signal (receive) peer=/usr/{bin,sbin}/libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, + signal (receive) peer=libvirtd, + ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, + ptrace (readby) peer=/usr/sbin/libvirtd, + ptrace (readby) peer=libvirtd, + + owner /dev/tty rw, + + owner @{PROC}/@{pid}/fd/ r, + + /etc/dnsmasq.conf r, + /etc/dnsmasq.d/ r, + /etc/dnsmasq.d/* r, + /etc/dnsmasq.d-available/ r, + /etc/dnsmasq.d-available/* r, + /etc/ethers r, + /etc/NetworkManager/dnsmasq.d/ r, + /etc/NetworkManager/dnsmasq.d/* r, + /etc/NetworkManager/dnsmasq-shared.d/ r, + /etc/NetworkManager/dnsmasq-shared.d/* r, + + /usr/{bin,sbin}/dnsmasq mr, + + /var/log/dnsmasq*.log w, + + /usr/share/dnsmasq/ r, + /usr/share/dnsmasq/* r, + + /{,var/}run/*dnsmasq*.pid w, + /{,var/}run/dnsmasq-forwarders.conf r, + /{,var/}run/dnsmasq/ r, + /{,var/}run/dnsmasq/* rw, + + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage + + /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument + + # access to iface mtu needed for Router Advertisement messages in IPv6 + # Neighbor Discovery protocol (RFC 2461) + @{PROC}/sys/net/ipv6/conf/*/mtu r, + + # for the read-only TFTP server + @{TFTP_DIR}/ r, + @{TFTP_DIR}/** r, + + # libvirt config and hosts file for dnsmasq + /var/lib/libvirt/dnsmasq/ r, + /var/lib/libvirt/dnsmasq/* r, + + # libvirt pid files for dnsmasq + /{,var/}run/libvirt/network/ r, + /{,var/}run/libvirt/network/*.pid rw, + + # libvirt lease helper + /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper, + + # lxc-net pid and lease files + /{,var/}run/lxc/dnsmasq.pid rw, + /var/lib/misc/dnsmasq.*.leases rw, + + # lxd-bridge pid and lease files + /{,var/}run/lxd-bridge/dnsmasq.pid rw, + /var/lib/lxd-bridge/dnsmasq.*.leases rw, + /var/lib/lxd/networks/*/dnsmasq.* r, + /var/lib/lxd/networks/*/dnsmasq.leases rw, + /var/lib/lxd/networks/*/dnsmasq.pid rw, + + # NetworkManager integration + /var/lib/NetworkManager/dnsmasq-*.leases rw, + /{,var/}run/nm-dns-dnsmasq.conf r, + /{,var/}run/nm-dnsmasq-*.pid rw, + /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w, + /{,var/}run/NetworkManager/dnsmasq.conf r, + /{,var/}run/NetworkManager/dnsmasq.pid w, + /{,var/}run/NetworkManager/NetworkManager.pid w, + + profile libvirt_leaseshelper { + #include + + /etc/libnl-3/classid r, + + /usr/lib{,64}/libvirt/libvirt_leaseshelper m, + + owner @{PROC}/@{pid}/net/psched r, + owner @{PROC}/@{pid}/status r, + + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/*/meminfo r, + + # libvirt lease and status files for dnsmasq + /var/lib/libvirt/dnsmasq/*.leases rw, + /var/lib/libvirt/dnsmasq/*.status* rw, + + /{,var/}run/leaseshelper.pid rwk, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.fwknopd b/apparmor.d/usr.sbin.fwknopd new file mode 100644 index 00000000..e70b3cae --- /dev/null +++ b/apparmor.d/usr.sbin.fwknopd @@ -0,0 +1,45 @@ +# Last Modified: Sun Aug 18 22:54:57 2013 +# Assumes fwknopd was built with: +# './configure --prefix=/usr --sysconfdir=/etc --localstatedir=/run' +#include + +/usr/sbin/fwknopd { + #include + + capability ipc_lock, + capability net_admin, + capability net_raw, + + network inet raw, + network inet dgram, + network inet6 dgram, + network packet raw, + network packet dgram, + + /bin/dash rix, + /bin/bash rix, + /etc/fwknop/access.conf r, + /etc/fwknop/fwknopd.conf r, + /etc/host.conf r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/protocols r, + /etc/resolv.conf r, + /etc/services r, + @{PROC}/@{pid}/net/ip_tables_names r, + /root/.gnupg/* rwkl, + /run/fwknop/ rw, + /run/fwknop/* rwk, + /run/resolvconf/resolv.conf r, + /run/xtables.lock rwk, + /sbin/ipset rix, + /sbin/xtables-legacy-multi rix, + /sbin/xtables-multi rix, + /usr/bin/gpg rix, + /usr/sbin/fwknopd mr, + /usr/sbin/ipset rix, + /usr/sbin/xtables-legacy-multi rix, + /usr/sbin/xtables-nft-multi rix, + /var/cache/nscd/passwd r, + +} diff --git a/apparmor.d/usr.sbin.identd b/apparmor.d/usr.sbin.identd new file mode 100644 index 00000000..08d751e9 --- /dev/null +++ b/apparmor.d/usr.sbin.identd @@ -0,0 +1,33 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +profile identd /usr/{bin,sbin}/identd flags=(complain) { + #include + #include + capability net_bind_service, + capability setgid, + capability setuid, + network netlink dgram, + /etc/identd.conf r, + /etc/identd.key r, + /etc/identd.pid w, + /usr/{bin,sbin}/identd rmix, + @{PROC}/net/tcp r, + @{PROC}/net/tcp6 r, + /{,var/}run/identd.pid w, + /{,var/}run/identd/ w, + /{,var/}run/identd/identd.pid w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd new file mode 100644 index 00000000..7213f7c7 --- /dev/null +++ b/apparmor.d/usr.sbin.libvirtd @@ -0,0 +1,140 @@ +#include +@{LIBVIRT}="libvirt" + +profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + + # Needed for vfio + capability sys_resource, + + mount options=(rw,rslave) -> /, + mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), + + ptrace (read,trace) peer=unconfined, + ptrace (read,trace) peer=@{profile_name}, + ptrace (read,trace) peer=dnsmasq, + ptrace (read,trace) peer=/usr/sbin/dnsmasq, + ptrace (read,trace) peer=libvirt-*, + ptrace (read,trace) peer=virt-manager, + + signal (send) peer=dnsmasq, + signal (send) peer=/usr/sbin/dnsmasq, + signal (read, send) peer=libvirt-*, + signal (send) set=("kill", "term") peer=unconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), + signal (send) set=("term") peer=libvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=stream addr=none peer=(label=unconfined), + + # required if guests run unconfined seclabel type='none' but libvirtd is confined + signal (read, send) peer=unconfined, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + /usr/sbin/virtlogd pix, + /usr/sbin/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/lib/xen-*/bin/libxl-save-helper PUx, + /usr/lib/xen-*/bin/pygrub PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/lib/libvirt/* PUxr, + /usr/lib/libvirt/libvirt_parthelper ix, + /usr/lib/libvirt/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from libvirtd + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.mdnsd b/apparmor.d/usr.sbin.mdnsd new file mode 100644 index 00000000..82b4088e --- /dev/null +++ b/apparmor.d/usr.sbin.mdnsd @@ -0,0 +1,36 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +profile mdnsd /usr/{bin,sbin}/mdnsd flags=(complain) { + #include + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + network netlink dgram, + + /usr/{bin,sbin}/mdnsd rmix, + + @{PROC}/net/ r, + @{PROC}/net/unix r, + /{,var/}run/mdnsd lw, + /{,var/}run/mdnsd.pid w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.nmbd b/apparmor.d/usr.sbin.nmbd new file mode 100644 index 00000000..e0e9cd0c --- /dev/null +++ b/apparmor.d/usr.sbin.nmbd @@ -0,0 +1,35 @@ +#include + +profile nmbd /usr/{bin,sbin}/nmbd flags=(complain) { + #include + #include + #include + + capability net_bind_service, + + @{PROC}/sys/kernel/core_pattern r, + + /usr/{bin,sbin}/nmbd mr, + + /var/cache/samba/gencache.tdb rwk, + /var/cache/samba/gencache_notrans.tdb rwk, + /var/cache/samba/names.tdb rwk, + /var/{cache,lib}/samba/browse.dat* rw, + /var/{cache,lib}/samba/gencache.dat rw, + /var/{cache,lib}/samba/wins.dat* rw, + /var/{cache,lib}/samba/smb_krb5/ rw, + /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw, + /var/{cache,lib}/samba/smb_tmp_krb5.* rw, + /var/{cache,lib}/samba/sync.* rw, + /var/{cache,lib}/samba/unexpected rw, + /var/cache/samba/msg/ rw, + /var/cache/samba/msg/* w, + /var/cache/samba/msg.lock/{,*} rwk, + + /{,var/}run/nmbd.pid rwk, + /{,var/}run/samba/** rwk, + /{,var/}run/systemd/notify w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.nscd b/apparmor.d/usr.sbin.nscd new file mode 100644 index 00000000..b1b1b953 --- /dev/null +++ b/apparmor.d/usr.sbin.nscd @@ -0,0 +1,43 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2009-2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +profile nscd /usr/{bin,sbin}/nscd flags=(complain) { + #include + #include + #include + #include + + deny capability block_suspend, + capability net_bind_service, + capability setgid, + capability setuid, + + /etc/netgroup r, + /etc/nscd.conf r, + /usr/{bin,sbin}/nscd rmix, + /{,var/}run/.nscd_socket wl, + /{,var/}run/nscd/ rw, + /{,var/}run/nscd/db* rwl, + /{,var/}run/nscd/socket wl, + /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw, + /{,var/}run/{nscd/,}nscd.pid rwl, + /var/lib/libvirt/dnsmasq/ r, + /var/lib/libvirt/dnsmasq/*.status r, + /var/log/nscd.log rw, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fd/* r, + @{PROC}/@{pid}/mounts r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.smbd b/apparmor.d/usr.sbin.smbd new file mode 100644 index 00000000..7d8b68a9 --- /dev/null +++ b/apparmor.d/usr.sbin.smbd @@ -0,0 +1,64 @@ +#include + +profile smbd /usr/{bin,sbin}/smbd flags=(complain) { + #include + #include + #include + #include + #include + #include + #include + #include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability fowner, + capability lease, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + capability sys_tty_config, + + /etc/mtab r, + /etc/netgroup r, + /etc/printcap r, + /etc/samba/* rwk, + @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/core_pattern r, + /usr/lib*/samba/vfs/*.so mr, + /usr/lib*/samba/auth/*.so mr, + /usr/lib*/samba/charset/*.so mr, + /usr/lib*/samba/gensec/*.so mr, + /usr/lib*/samba/pdb/*.so mr, + /usr/lib*/samba/{lowcase,upcase,valid}.dat r, + /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, + /usr/lib/@{multiarch}/samba/**/ r, + /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, + /usr/{bin,sbin}/smbd mr, + /usr/{bin,sbin}/smbldap-useradd Px, + /var/cache/samba/** rwk, + /var/{cache,lib}/samba/printing/printers.tdb mrw, + /var/lib/samba/** rwk, + /var/lib/sss/pubconf/kdcinfo.* r, + /{,var/}run/dbus/system_bus_socket rw, + /{,var/}run/smbd.pid rwk, + /{,var/}run/samba/** rk, + /{,var/}run/samba/ncalrpc/ rw, + /{,var/}run/samba/ncalrpc/** rw, + /{,var/}run/samba/smbd.pid rw, + /{,var/}run/samba/msg.lock/ rw, + /{,var/}run/samba/msg.lock/[0-9]* rwk, + /var/spool/samba/** rw, + + @{HOMEDIRS}/** lrwk, + + # Permissions for all configured shares (file autogenerated by + # update-apparmor-samba-profile on service startup. + #include if exists + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.smbldap-useradd b/apparmor.d/usr.sbin.smbldap-useradd new file mode 100644 index 00000000..d52307a7 --- /dev/null +++ b/apparmor.d/usr.sbin.smbldap-useradd @@ -0,0 +1,37 @@ +# Last Modified: Tue Jan 3 00:17:40 2012 +#include + +profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd flags=(complain) { + #include + #include + #include + #include + + /dev/tty rw, + /{,usr/}bin/bash ix, + /etc/init.d/nscd Cx, + /etc/shadow r, + /etc/smbldap-tools/smbldap.conf r, + /etc/smbldap-tools/smbldap_bind.conf r, + /usr/{bin,sbin}/smbldap-useradd r, + /usr/{bin,sbin}/smbldap_tools.pm r, + /var/log/samba/log.smbd w, + + # Site-specific additions and overrides. See local/README for details. + #include + + profile /etc/init.d/nscd flags=(complain) { + #include + #include + + capability sys_ptrace, + + /{,usr/}bin/bash r, + /{,usr/}bin/mountpoint rix, + /{,usr/}bin/systemctl rix, + /dev/tty rw, + /etc/init.d/nscd r, + /etc/rc.status r, + + } +} diff --git a/apparmor.d/usr.sbin.tcpdump b/apparmor.d/usr.sbin.tcpdump new file mode 100644 index 00000000..c3b91896 --- /dev/null +++ b/apparmor.d/usr.sbin.tcpdump @@ -0,0 +1,65 @@ +# vim:syntax=apparmor +#include + +profile tcpdump /usr/sbin/tcpdump { + #include + #include + #include + + capability net_raw, + capability setuid, + capability setgid, + capability dac_override, + capability chown, + network raw, + network packet, + + # for -D + @{PROC}/bus/usb/ r, + @{PROC}/bus/usb/** r, + + # for finding an interface + /dev/ r, + @{PROC}/[0-9]*/net/dev r, + /sys/bus/usb/devices/ r, + /sys/class/net/ r, + /sys/devices/**/net/** r, + + # for -j + capability net_admin, + + # for tracing USB bus, which libpcap supports + /dev/usbmon* r, + /dev/bus/usb/ r, + /dev/bus/usb/** r, + + # for init_etherarray(), with -e + /etc/ethers r, + + # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices()) + /dev/bus/usb/**/[0-9]* w, + + # for -z + /{usr/,}bin/gzip ixr, + /{usr/,}bin/bzip2 ixr, + + # for -F and -w + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + owner @{HOME}/ r, + owner @{HOME}/** rw, + + # for -r, -F and -w + /**.[pP][cC][aA][pP] rw, + + # for convenience with -r (ie, read pcap files from other sources) + /var/log/snort/*log* r, + + /usr/sbin/tcpdump mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.traceroute b/apparmor.d/usr.sbin.traceroute new file mode 100644 index 00000000..2c08027f --- /dev/null +++ b/apparmor.d/usr.sbin.traceroute @@ -0,0 +1,30 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} { + #include + #include + #include + + deny capability net_admin, # noisy setsockopt() calls + capability net_raw, + + network inet raw, + network inet6 raw, + + /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix, + @{PROC}/net/route r, + @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/uupdate b/apparmor.d/uupdate new file mode 100644 index 00000000..9e4f9795 --- /dev/null +++ b/apparmor.d/uupdate @@ -0,0 +1,62 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BUILD_DIR} = /media/debuilder/ + +@{exec_path} = /{usr/,}bin/uupdate +profile uupdate @{exec_path} flags=(complain) { + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/bash r, + + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/expr rix, + + /{usr/,}bin/perl rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/md5sum rix, + + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/xz rix, + + # FIXME + /{usr/,}bin/debchange rPUx, + /{usr/,}bin/dpkg-vendor rPUx, + /{usr/,}bin/dpkg-parsechangelog rPUx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /etc/devscripts.conf r, + + # For package building + owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, + + #include if exists +} diff --git a/apparmor.d/vcsi b/apparmor.d/vcsi new file mode 100644 index 00000000..ff9cda23 --- /dev/null +++ b/apparmor.d/vcsi @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/vcsi +profile vcsi @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/ffmpeg rPx, + /{usr/,}bin/ffprobe rPx, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + owner /tmp/* rw, + + #include if exists +} diff --git a/apparmor.d/vidcutter b/apparmor.d/vidcutter new file mode 100644 index 00000000..3d90226f --- /dev/null +++ b/apparmor.d/vidcutter @@ -0,0 +1,157 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{vidcutter_ext} = [aA]{52,[aA][cC],[cC]3} +@{vidcutter_ext} += [mM][kK][aA] +@{vidcutter_ext} += [fF][lL][aA][cC] +@{vidcutter_ext} += [mM][pP][123cC] +@{vidcutter_ext} += [oO][gGmM][aA] +@{vidcutter_ext} += [wW]{,[aA]}[vV] +@{vidcutter_ext} += [wW][mM]{,[aA]} +@{vidcutter_ext} += 3[gG]{[2pP],[pP][2pP]} +@{vidcutter_ext} += [aA][sS][fF] +@{vidcutter_ext} += [aA][vV][iI] +@{vidcutter_ext} += [dD][iI][vV][xX] +@{vidcutter_ext} += [mM][124][vV] +@{vidcutter_ext} += [mM][kKoO][vV] +@{vidcutter_ext} += [mM][pP][4aAeEgG] +@{vidcutter_ext} += [mM][pP][eE][gG]{,[124]} +@{vidcutter_ext} += [oO][gG][gGmMxXvV] +@{vidcutter_ext} += [rR][mM]{,[vV][bB]} +@{vidcutter_ext} += [wW][eE][bB][mM] +@{vidcutter_ext} += [wW][mMtT][vV] +@{vidcutter_ext} += [mM][pP]2[tT] + +@{exec_path} = /{usr/,}bin/vidcutter +profile vidcutter @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}sbin/ldconfig rix, + + /{usr/,}bin/ffmpeg rPUx, + /{usr/,}bin/ffprobe rPUx, + /{usr/,}bin/mediainfo rPUx, + + /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + # Which files vidcutter should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{vidcutter_ext} rw, + + owner @{HOME}/ r, + owner @{HOME}/.config/vidcutter/ rw, + owner @{HOME}/.config/vidcutter/* rwkl -> @{HOME}/.config/vidcutter/#[0-9]*[0-9], + + # If one is blocked, the others are probed. + deny owner @{HOME}/#[0-9]*[0-9] mrw, + owner @{HOME}/.glvnd* mrw, + # owner /tmp/#[0-9]*[0-9] mrw, + # owner /tmp/.glvnd* mrw, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/qtshadercache/ rw, + owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + # To remove the following error: + # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied + # (g-file-error-quark, 2) + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + owner /tmp/vidcutter-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]* w, + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/vidcutter/{,*} rw, + + deny /dev/ r, + /dev/shm/#[0-9]*[0-9] rw, + /dev/disk/*/ r, + + /etc/vdpau_wrapper.cfg r, + + /etc/fstab r, + + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/vipw-vigr b/apparmor.d/vipw-vigr new file mode 100644 index 00000000..d0491e3a --- /dev/null +++ b/apparmor.d/vipw-vigr @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/vi{pw,gr} +profile vipw-vigr @{exec_path} { + #include + + capability chown, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + + /{usr/,}bin/sensible-editor rCx -> editor, + /{usr/,}bin/vim.* rCx -> editor, + + /etc/login.defs r, + + /etc/{passwd,shadow,gshadow,group}{,.edit} rw, + /etc/{passwd,shadow,gshadow,group}.@{pid} rw, + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/shadow.lock wl -> /etc/shadow.@{pid}, + /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, + /etc/group.lock wl -> /etc/group.@{pid}, + /etc/passwd- wl -> /etc/passwd, + /etc/shadow- wl -> /etc/shadow, + /etc/gshadow- wl -> /etc/gshadow, + /etc/group- wl -> /etc/group, + + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to + # modify the /etc/passwd or /etc/shadow password database. + /etc/.pwd.lock rwk, + + + profile editor { + #include + #include + + capability fsetid, + + /{usr/,}bin/sensible-editor mr, + /{usr/,}bin/vim.* mrix, + /{usr/,}bin/dash rix, + /{usr/,}bin/which rix, + + owner @{HOME}/.selected_editor r, + + /usr/share/vim/{,**} r, + /etc/vim/{,**} r, + owner @{HOME}/.viminfo{,.tmp} rw, + + owner @{HOME}/.fzf/plugin/ r, + owner @{HOME}/.fzf/plugin/fzf.vim r, + + /etc/{passwd,shadow,gshadow,group}.edit rw, + + } + + #include if exists +} diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager new file mode 100644 index 00000000..17a1242d --- /dev/null +++ b/apparmor.d/virt-manager @@ -0,0 +1,125 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/virt-manager +@{exec_path} += /usr/share/virt-manager/virt-manager +profile virt-manager @{exec_path} flags=(complain) { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} rix, + /{usr/,}bin/dash r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/getfacl rix, + /{usr/,}bin/setfacl rix, + + /{usr/,}sbin/libvirtd rPx, + + /usr/share/virt-manager/{,**} r, + + owner @{HOME}/ r, + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/virt-manager/ rw, + owner @{HOME}/.cache/virt-manager/** rw, + + # For disk images + /media/ r, + /media/*/ r, + @{HOME}/**.{iso,img,bin,mdf,nrg} r, + /media/*/**.{iso,img,bin,mdf,nrg} r, + @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, + /media/*/**.{ISO,IMG,BIN,MDF,NRG} r, + + # System VM images + #owner /var/lib/libvirt/images/ r, + + # User VM images + #owner @{HOME}/.local/share/libvirt/ rw, + #owner @{HOME}/.local/share/libvirt/images/ rw, + #owner @{HOME}/.local/share/libvirt/images/* rw, + + #owner /media/*/VM/ r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /usr/share/osinfo/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + + /usr/share/misc/pci.ids r, + /var/lib/usbutils/usb.ids r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + + /dev/ r, + + # For USB devices + /dev/bus/usb/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{busnum,devnum,speed,descriptors} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/uevent r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{busnum,devnum,speed,descriptors} r, + /{var/,}run/udev/data/+usb:* r, + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** r, + + @{sys}/devices/pci[0-9]*/**/drm/ r, + + /etc/fstab r, + + /{var/,}run/mount/utab r, + + owner /{var/,}run/user/[0-9]*/libvirt/libvirtd.lock rwk, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /etc/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/[0-9][0-9]_*.json r, + + # The orcexec.* file is JIT compiled code for various GStreamer elements. + # If one is blocked the next is used instead. + owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + #owner @{HOME}/orcexec.* mrw, + #owner /tmp/orcexec.* mrw, + + # Silecne the noise + deny /usr/share/virt-manager/{,**} w, + + #include if exists +} diff --git a/apparmor.d/vlc b/apparmor.d/vlc new file mode 100644 index 00000000..27c7625c --- /dev/null +++ b/apparmor.d/vlc @@ -0,0 +1,158 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +@{vlc_ext} = [aA]{52,[aA][cC],[cC]3} +@{vlc_ext} += [mM][kK][aA] +@{vlc_ext} += [fF][lL][aA][cC] +@{vlc_ext} += [mM][pP][123cC] +@{vlc_ext} += [oO][gGmM][aA] +@{vlc_ext} += [wW]{,[aA]}[vV] +@{vlc_ext} += [wW][mM]{,[aA]} +@{vlc_ext} += 3[gG]{[2pP],[pP][2pP]} +@{vlc_ext} += [aA][sS][fF] +@{vlc_ext} += [aA][vV][iI] +@{vlc_ext} += [dD][iI][vV][xX] +@{vlc_ext} += [mM][124][vV] +@{vlc_ext} += [mM][kKoO][vV] +@{vlc_ext} += [mM][pP][4aAeEgG] +@{vlc_ext} += [mM][pP][eE][gG]{,[124]} +@{vlc_ext} += [oO][gG][gGmMxXvV] +@{vlc_ext} += [rR][mM]{,[vV][bB]} +@{vlc_ext} += [wW][eE][bB][mM] +@{vlc_ext} += [wW][mMtT][vV] +@{vlc_ext} += [mM][pP]2[tT] + +# Image extensions +# bmp, jpg, jpeg, png, gif +@{vlc_ext} += [bB][mM][pP] +@{vlc_ext} += [jJ][pP]{,[eE]}[gG] +@{vlc_ext} += [pP][nN][gG] +@{vlc_ext} += [gG][iI][fF] + +# Subtitle extensions: +# srt, txt, sub +@{vlc_ext} += [sS][rR][tT] +@{vlc_ext} += [tT][xX][tT] +@{vlc_ext} += [sS][uU][bB] + +# Playlist extensions: +# m3u, m3u8, pls +@{vlc_ext} += [mM]3[uU]{,8} +@{vlc_ext} += [pP][lL][sS] + +@{exec_path} = /{usr/,}bin/{c,}vlc +profile vlc @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=anyremote//*, + + @{exec_path} mrix, + + # Which media files VLC should be able to open + / r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{home,media}/**.@{vlc_ext} rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # VLC files + /usr/share/vlc/{,**} r, + + # VLC config files + owner @{HOME}/ r, + owner @{HOME}/.config/vlc/ rw, + owner @{HOME}/.config/vlc/* rwkl -> @{HOME}/.config/vlc/#[0-9]*[0-9], + owner @{HOME}/.local/share/vlc/{,*} rw, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/vlc/{,**} rw, + owner @{HOME}/.cache/#[0-9]*[0-9] rw, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /dev/shm/#[0-9]*[0-9] rw, + + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/net/if_inet6 r, + deny @{PROC}/sys/kernel/random/boot_id r, + + # Udev enumeration + @{sys}/bus/ r, + @{sys}/bus/**/devices/ r, + @{sys}/devices/**/uevent r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,speed} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + /{var/,}run/udev/data/b254:[0-9]* r, # for /dev/zram* + /{var/,}run/udev/data/b253:[0-9]* r, # for /dev/dm* + /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd* + /{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop* + /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + /{var/,}run/udev/data/+usb:* r, # for ? + + /dev/ r, + /dev/bus/usb/ r, + + /etc/fstab r, + + /etc/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/[0-9][0-9]_*.json r, + + /usr/share/hwdata/pnp.ids r, + + # Be able to turn off the screensaver while playing movies + /{usr/,}bin/xdg-screensaver rPUx, + + # Silencer + deny /{usr/,}lib/@{multiarch}/vlc/{,**} w, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.anyRemote/anyremote.stdout w, + + #include if exists +} diff --git a/apparmor.d/vnstat b/apparmor.d/vnstat new file mode 100644 index 00000000..51933602 --- /dev/null +++ b/apparmor.d/vnstat @@ -0,0 +1,75 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/vnstat +profile vnstat @{exec_path} { + #include + #include + #include + + # The following rules are needed when adding a new interface to the vnstat database. Usually this + # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the + # database files under /var/lib/vnstat/ are owned by vnstat:vnstat. Because of the above, the + # dac_override CAP is needed to allow writing files in that dir. + # + # If this CAP was denied, then the following error is printed when adding new interfaces: + # + # Error: Exec step failed (8: attempt to write a readonly database): "insert into interface + # (name, active, created, updated, rxcounter, txcounter, rxtotal, txtotal) values ('eth0', 1, + # datetime('now', 'localtime'), datetime('now', 'localtime'), 0, 0, 0, 0)" + # Error: Adding interface "ifb0" to database failed. + # + capability dac_override, + # + # Also the vnstat.db file has to have the write permission: + /var/lib/vnstat/vnstat.db w, + /var/lib/vnstat/vnstat.db-journal rw, + # + # This is needed to change the owner:group to vnstat:vnstat of the database file. + capability chown, + + @{exec_path} mr, + + # Many apps/users can query vnstat database, so don't use owner here. + /var/lib/vnstat/ r, + /var/lib/vnstat/vnstat.db rk, + + /etc/vnstat.conf r, + + @{sys}/class/net/ r, + + @{sys}/devices/pci[0-9]*/**/net/*/statistics/{tx,rx}_{bytes,packets} r, + @{sys}/devices/virtual/net/*/statistics/{tx,rx}_{bytes,packets} r, + + @{sys}/devices/pci[0-9]*/**/net/*/speed r, + @{sys}/devices/virtual/net/*/speed r, + + @{PROC}/@{pid}/net/dev r, + + # file_inherit + deny @{PROC}/@{pid}/stat r, + deny @{PROC}/@{pid}/net/tcp{,6} r, + deny @{PROC}/@{pid}/net/if_inet6 r, + deny @{PROC}/@{pid}/cmdline r, + deny @{PROC}/@{pid}/io r, + deny @{PROC}/@{pid}/net/route r, + deny @{PROC}/uptime r, + deny @{PROC}/diskstats r, + deny @{PROC}/loadavg r, + deny @{sys}/devices/**/hwmon/**/temp*_input r, + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/vnstatd b/apparmor.d/vnstatd new file mode 100644 index 00000000..43c60fd6 --- /dev/null +++ b/apparmor.d/vnstatd @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/vnstatd +profile vnstatd @{exec_path} { + #include + + @{exec_path} mr, + + # vnstat daemon config + /etc/vnstat.conf r, + + # To determine capacity of a network interface + @{sys}/devices/pci[0-9]*/**/net/**/speed r, + @{sys}/devices/virtual/net/**/speed r, + + # To collect interfaces' data + @{PROC}/@{pid}/net/dev r, + + # To store the collected data + owner /var/lib/vnstat/ rw, + owner /var/lib/vnstat/vnstat.db rwk, + owner /var/lib/vnstat/vnstat.db-journal rw, + + #include if exists +} diff --git a/apparmor.d/volumeicon b/apparmor.d/volumeicon new file mode 100644 index 00000000..6aa55bfa --- /dev/null +++ b/apparmor.d/volumeicon @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2015-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/volumeicon +profile volumeicon @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + # Volumeicon files + /usr/share/volumeicon/** r, + + # Volumeicon config files + owner @{HOME}/.config/volumeicon/ rw, + owner @{HOME}/.config/volumeicon/volumeicon* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + # Start the PulseAudio sound mixer + /{usr/,}bin/dash rix, + /{usr/,}bin/pavucontrol rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/vsftpd b/apparmor.d/vsftpd new file mode 100644 index 00000000..97735c2f --- /dev/null +++ b/apparmor.d/vsftpd @@ -0,0 +1,83 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/vsftpd +profile vsftpd @{exec_path} { + #include + #include + #include + #include + + # Only for local users authentication + #include + + # To be able to listen on ports < 1024 + capability net_bind_service, + + # To be able to chroot local users + capability sys_chroot, + + # To run vsftpd as ftp:ftp + capability setgid, + capability setuid, + + # To change ownership of uploaded files + capability chown, + + # Something to do with local users (?) + capability audit_write, + + # Needed when container isolation is set (isolate=YES and isolate_network=YES), but vsftpd can + # work witout it as its code is set up to continue happily if container isolation is not + # available (when first written, many kernels didn't have the underlying support). + capability sys_admin, + + # Needed when vsftpd maintains sessions (session_support=YES) + capability net_admin, + capability dac_read_search, + # If session_support=YES, vsftpd will also try and update utmp and wtmp + #include + + # To validate allowed users shells + /etc/shells r, + + # List of users disallowed FTP access + /etc/ftpusers r, + + # For libwrap (TCP Wrapper) support (tcp_wrappers=YES) + /etc/hosts.{allow,deny} r, + + # vsftpd config files + /etc/vsftpd.conf r, + /etc/vsftpd/**/ r, + /etc/vsftpd/* r, + /etc/vsftpd/users/* r, + + # Certs for SSL/TLS conection + /etc/vsftpd/certs/*.crt r, + /etc/vsftpd/certs/*.key r, + + # Logs + /var/log/vsftpd.log wk, + /var/log/xferlog w, + + # A directory which vsftpd will try to change into after a user login + # Set "rw" when vsftpd allows users to send files + # The "k" flag is needed when lock_upload_files=YES + /media/ftp/ r, + /media/ftp/** rwk, + + #include if exists +} diff --git a/apparmor.d/wavemon b/apparmor.d/wavemon new file mode 100644 index 00000000..43630aeb --- /dev/null +++ b/apparmor.d/wavemon @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/wavemon +profile wavemon @{exec_path} { + #include + + # To scan WiFi networks + capability net_admin, + + @{exec_path} mr, + + owner @{HOME}/.wavemonrc rw, + + /etc/nsswitch.conf r, + + @{PROC}/@{pid}/net/dev r, + + #include if exists +} diff --git a/apparmor.d/wget b/apparmor.d/wget new file mode 100644 index 00000000..1c171cef --- /dev/null +++ b/apparmor.d/wget @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/wget +profile wget @{exec_path} { + #include + #include + #include + #include + #include + #include + + # For downloading files as root to user owned dirs + capability dac_read_search, + capability dac_override, + + @{exec_path} mr, + + /etc/wgetrc r, + + owner @{HOME}/.wget-hsts rwk, + + /usr/share/publicsuffix/public_suffix_list.* r, + + # For apt + owner /var/cache/google-android-build-tools-*-installer/build-tools_*-linux.zip w, + owner /var/cache/google-android-platform-*-installer/platform-*.zip w, + + #include if exists +} diff --git a/apparmor.d/whdd b/apparmor.d/whdd new file mode 100644 index 00000000..dfc431c6 --- /dev/null +++ b/apparmor.d/whdd @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/whdd +profile whdd @{exec_path} { + #include + + capability sys_rawio, + capability sys_admin, + + # Needed? + deny capability sys_nice, + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tr rix, + + # To read SMART attributes + /{usr/,}sbin/smartctl rPx, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/partitions r, + + /dev/sd[a-z] rw, + + #include if exists +} diff --git a/apparmor.d/whiptail b/apparmor.d/whiptail new file mode 100644 index 00000000..6d7d8f8b --- /dev/null +++ b/apparmor.d/whiptail @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/whiptail +profile whiptail @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} mr, + + owner /tmp/gpm* w, + + #include if exists +} diff --git a/apparmor.d/who b/apparmor.d/who new file mode 100644 index 00000000..e4ac4f6f --- /dev/null +++ b/apparmor.d/who @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/who +profile who @{exec_path} { + #include + #include + #include + + capability kill, + + @{exec_path} mr, + + #include if exists +} diff --git a/apparmor.d/wireshark b/apparmor.d/wireshark new file mode 100644 index 00000000..810bdbf9 --- /dev/null +++ b/apparmor.d/wireshark @@ -0,0 +1,112 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# pcap pcapng +@{wireshark_ext} = [pP][cC][aA][pP]{,[nN][gG]} + +@{exec_path} = /{usr/,}bin/wireshark +profile wireshark @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (send) peer=dumpcap, + + @{exec_path} mr, + + /{usr/,}bin/dumpcap rPx, + /{usr/,}bin/xdg-open rCx -> open, + + # For reading pcaps + / r, + /tmp/ r, + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/**/ r, + /media/ r, + owner /media/**/ r, + owner /{tmp,home,media}/**.@{wireshark_ext}{,.gz} rw, + + # Wireshark files + /usr/share/wireshark/** r, + /{usr/,}lib/@{multiarch}/wireshark/extcap/* rix, + /{usr/,}lib/@{multiarch}/wireshark/plugins/*/{codecs,epan,wiretap}/*.so mr, + /etc/wireshark/init.lua r, + + # Wireshark home files + owner @{HOME}/.wireshark/{,*} rw, + owner @{HOME}/.config/wireshark/{,*} rw, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /usr/share/hwdata/pnp.ids r, + + /usr/share/GeoIP/{,**} r, + + /dev/shm/#[0-9]*[0-9] rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner /tmp/wireshark_extcap_ciscodump_[0-9]*_* rw, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/wmctrl b/apparmor.d/wmctrl new file mode 100644 index 00000000..b6e301db --- /dev/null +++ b/apparmor.d/wmctrl @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/wmctrl +profile wmctrl @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + #include if exists +} diff --git a/apparmor.d/wpa-gui b/apparmor.d/wpa-gui new file mode 100644 index 00000000..0d29ba28 --- /dev/null +++ b/apparmor.d/wpa-gui @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/wpa_gui +profile wpa-gui @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + owner /tmp/wpa_ctrl_@{pid}-[0-9] w, + + /{var/,}run/wpa_supplicant/ r, + + /dev/shm/#[0-9]*[0-9] rw, + + owner @{PROC}/@{pid}/cmdline r, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/hwdata/pnp.ids r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/wpa-supplicant b/apparmor.d/wpa-supplicant new file mode 100644 index 00000000..2f388293 --- /dev/null +++ b/apparmor.d/wpa-supplicant @@ -0,0 +1,58 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/wpa_supplicant +profile wpa-supplicant @{exec_path} { + #include + #include + #include + + # To remove the following errors: + # wpa_supplicant[]: wlan0: Failed to initialize driver interface + capability net_admin, + capability net_raw, + + # To remove the following errors: + # wpa_supplicant[]: Failed to initialize control interface 'DIR=/run/wpa_supplicant + # GROUP=netdev'. You may have another wpa_supplicant process already running or the file was + # left by an unclean termination of wpa_supplicant in which case you will need to manually + # remove this file before starting wpa_supplicant again. + capability chown, + + # Needed? (#FIXME#) + capability fsetid, + audit deny capability sys_module, + + @{exec_path} mr, + + owner /{,var/}run/wpa_supplicant/ rw, + owner /{,var/}run/wpa_supplicant/wlan* rw, + owner /{,var/}run/wpa_supplicant.wlan*.pid rw, + + /etc/wpa_supplicant/wpa_supplicant.conf r, + + /dev/rfkill r, + + @{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw, + + @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r, + + # For wpa_gui + #capability dac_override, + #/etc/wpa_supplicant/wpa_supplicant.conf w, + #/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw, + + #include if exists +} diff --git a/apparmor.d/wpa_cli b/apparmor.d/wpa_cli new file mode 100644 index 00000000..0b2fc223 --- /dev/null +++ b/apparmor.d/wpa_cli @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/wpa_cli +profile wpa_cli @{exec_path} { + #include + + @{exec_path} mr, + + owner /{,var/}run/wpa_supplicant/ r, + owner /tmp/wpa_ctrl_@{pid}-[0-9] rw, + + # for interactive mode + /etc/inputrc r, + owner @{HOME}/.wpa_cli_history rw, + owner @{HOME}/.wpa_cli_history-[0-9]*.tmp rw, + + #include if exists +} diff --git a/apparmor.d/wrmsr b/apparmor.d/wrmsr new file mode 100644 index 00000000..c2112242 --- /dev/null +++ b/apparmor.d/wrmsr @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}sbin/wrmsr +profile wrmsr @{exec_path} flags=(complain) { + #include + + # To access /dev/cpu/*/msr . + capability sys_rawio, + + @{exec_path} mr, + + owner /dev/cpu/[0-9]*/msr w, + + #include if exists +} diff --git a/apparmor.d/x11-xsession b/apparmor.d/x11-xsession new file mode 100644 index 00000000..817a6aee --- /dev/null +++ b/apparmor.d/x11-xsession @@ -0,0 +1,132 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /etc/X11/Xsession +profile x11-xsession @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/rm rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/id rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/head rix, + /{usr/,}bin/fold rix, + + /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, + + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/udevadm rCx -> udevadm, + + /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/numlockx rPx, + /{usr/,}bin/xhost rPx, + /{usr/,}bin/glxinfo rPx, + + # Allowed GUI sessions to start + /{usr/,}bin/openbox-session rPx, + /{usr/,}bin/enlightenment_start rPUx, + /{usr/,}bin/sway rPUx, + /{usr/,}bin/ssh-agent rPx, + + owner /tmp/file* rw, + + /etc/default/{,*} r, + + /etc/X11/{,**} r, + + owner @{HOME}/.Xauthority r, + + # Xsession logs + owner @{HOME}/.xsession-errors w, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/X11/Xsession.d/ r, + /etc/X11/Xresources/ r, + + /etc/default/kexec.d/ r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + profile dbus { + #include + + /{usr/,}bin/dbus-update-activation-environment mr, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + profile gpg { + #include + + /{usr/,}bin/gpgconf mr, + + /{usr/,}bin/gpg-agent rix, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + @{PROC}/@{pid}/fd/ r, + + } + + profile udevadm { + #include + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + /{var/,}run/udev/data/* r, + + } + + #include if exists +} diff --git a/apparmor.d/xarchiver b/apparmor.d/xarchiver new file mode 100644 index 00000000..54337681 --- /dev/null +++ b/apparmor.d/xarchiver @@ -0,0 +1,102 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xarchiver +profile xarchiver @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mrix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cp rix, + + # Archivers + /{usr/,}bin/7z rix, + /{usr/,}lib/p7zip/7z rix, + /{usr/,}bin/unrar-nonfree rix, + /{usr/,}bin/zip rix, + /{usr/,}bin/unzip rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/cpio rix, + /{usr/,}bin/gzip rix, + # For deb packages + /{usr/,}bin/{,@{multiarch}-}ar rix, + + /{usr/,}bin/xdg-open rCx -> open, + + owner @{HOME}/.config/xarchiver/ rw, + owner @{HOME}/.config/xarchiver/xarchiverrc{,.*} rw, + + owner @{HOME}/.bz2 rw, + + / r, + /home/ r, + #owner @{HOME}/ r, + #owner @{HOME}/** rw, + /media/ r, + /media/** rw, + /tmp/ r, + owner /tmp/** rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + # Allowed apps to open + /{usr/,}bin/engrampa rPUx, + /{usr/,}bin/geany rPUx, + /{usr/,}bin/viewnior rPUx, + + # file_inherit + owner /dev/tty[0-9]* rw, + + + profile open { + #include + #include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/dash rix, + + # Allowed apps to open + /{usr/,}bin/engrampa rPUx, + /{usr/,}bin/geany rPUx, + /{usr/,}bin/viewnior rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/xauth b/apparmor.d/xauth new file mode 100644 index 00000000..914e3afb --- /dev/null +++ b/apparmor.d/xauth @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xauth +profile xauth @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority-c w, + owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c, + owner @{HOME}/.Xauthority-n rw, + owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, + + owner /tmp/serverauth.*-c w, + owner /tmp/serverauth.*-l wl -> /tmp/serverauth.*-c, + owner /tmp/serverauth.*-n rw, + owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, + + #include if exists +} diff --git a/apparmor.d/xautolock b/apparmor.d/xautolock new file mode 100644 index 00000000..203c1243 --- /dev/null +++ b/apparmor.d/xautolock @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xautolock +profile xautolock @{exec_path} { + #include + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/env rix, + + # Locker apps to launch. + /{usr/,}bin/i3lock-fancy rPx, + /{usr/,}bin/light-locker rPx, + /{usr/,}bin/light-locker-command rPx, + + /{usr/,}bin/xset rPx, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/xbacklight b/apparmor.d/xbacklight new file mode 100644 index 00000000..0545df97 --- /dev/null +++ b/apparmor.d/xbacklight @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xbacklight +profile xbacklight @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + #include if exists +} diff --git a/apparmor.d/xdg-desktop-menu b/apparmor.d/xdg-desktop-menu new file mode 100644 index 00000000..f25a59b8 --- /dev/null +++ b/apparmor.d/xdg-desktop-menu @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xdg-desktop-menu +profile xdg-desktop-menu @{exec_path} flags=(complain) { + #include + #include + #include + #include + + @{exec_path} r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/whoami rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/readlink rix, + + /{usr/,}bin/update-desktop-database rPx, + + owner @{HOME}/.config/menus/applications-merged/xdg-desktop-menu-dummy.menu rw, + owner @{HOME}/.local/share/applications/chrome-*.desktop rw, + owner @{HOME}/.gnome/apps/chrome-*.desktop rw, + + /usr/share/applications/*.desktop rw, + /usr/share/*/*.desktop r, + + /usr/share/applications/defaults.list r, + /usr/share/applications/defaults.list.new w, + + #include if exists +} diff --git a/apparmor.d/xdg-email b/apparmor.d/xdg-email new file mode 100644 index 00000000..9f10a5e4 --- /dev/null +++ b/apparmor.d/xdg-email @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xdg-email +profile xdg-email @{exec_path} flags=(complain) { + #include + #include + + @{exec_path} r, + + /{usr/,}bin/dash rix, + + #include if exists +} diff --git a/apparmor.d/xdg-icon-resource b/apparmor.d/xdg-icon-resource new file mode 100644 index 00000000..1bb5f966 --- /dev/null +++ b/apparmor.d/xdg-icon-resource @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xdg-icon-resource +profile xdg-icon-resource @{exec_path} flags=(complain) { + #include + #include + #include + #include + + @{exec_path} r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/whoami rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/touch rix, + + /{usr/,}bin/gtk-update-icon-cache rPUx, + + /usr/share/icons/**.png rw, + /usr/share/icons/*/.xdg-icon-resource-dummy rw, + + /usr/share/**/icons/**.png r, + + owner /tmp/.com.google.Chrome.*/chrome-*.png r, + + owner @{HOME}/.local/share/icons/**/apps/chrome-*.png rw, + owner @{HOME}/.local/share/icons/**/.xdg-icon-resource-dummy rw, + /opt/**/*.png r, + + #include if exists +} diff --git a/apparmor.d/xdg-mime b/apparmor.d/xdg-mime new file mode 100644 index 00000000..2b2911b6 --- /dev/null +++ b/apparmor.d/xdg-mime @@ -0,0 +1,73 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xdg-mime +profile xdg-mime @{exec_path} { + #include + #include + + @{exec_path} r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/which rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/head rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/file rix, + + /{usr/,}bin/mimetype rPx, + /{usr/,}bin/xprop rPx, + + # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Xdg-mime works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + owner @{HOME}/.config/mimeapps.list{,.new} rw, + + owner @{HOME}/.Xauthority r, + + # file_inherit + /media/** rw, + + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + /{usr/,}bin/dbus-send mr, + /{usr/,}bin/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + + @{HOME}/.Xauthority r, + } + + #include if exists +} diff --git a/apparmor.d/xdg-open b/apparmor.d/xdg-open new file mode 100644 index 00000000..6a82d18f --- /dev/null +++ b/apparmor.d/xdg-open @@ -0,0 +1,76 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xdg-open +profile xdg-open @{exec_path} { + #include + #include + + @{exec_path} r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/which rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/uname rix, + + /{usr/,}bin/xprop rPx, + /{usr/,}bin/xdg-mime rPx, + + /{usr/,}bin/exo-open rPx, + /{usr/,}bin/gio rPx, + #/{usr/,}bin/kde-open5 rPUx, + + # When xdg-open is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Xdg-open works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + /usr/share/applications/*.desktop r, + owner @{HOME}/.local/share/applications/ r, + + owner @{HOME}/.Xauthority r, + + /** r, + owner /** rw, + + # file_inherit + /dev/dri/card[0-9]* rw, + + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + /{usr/,}bin/dbus-send mr, + /{usr/,}bin/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + + @{HOME}/.Xauthority r, + } + + #include if exists +} diff --git a/apparmor.d/xdg-screensaver b/apparmor.d/xdg-screensaver new file mode 100644 index 00000000..f4f373df --- /dev/null +++ b/apparmor.d/xdg-screensaver @@ -0,0 +1,75 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xdg-screensaver +profile xdg-screensaver @{exec_path} { + #include + #include + #include + + @{exec_path} r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/which rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/uname rix, + + /{usr/,}bin/xprop rPx, + /{usr/,}bin/xdg-mime rPx, + /{usr/,}bin/xset rPx, + /{usr/,}bin/hostname rPx, + + /{usr/,}bin/xautolock rCx -> xautolock, + /{usr/,}bin/dbus-send rCx -> dbus, + + /dev/dri/card[0-9] rw, + + owner @{HOME}/.Xauthority r, + owner /tmp/xauth-[0-9]*-_[0-9] r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + /dev/dri/card[0-9]* rw, + + + profile xautolock { + #include + #include + + /{usr/,}bin/xautolock mr, + + # file_inherit + /dev/dri/card[0-9]* rw, + + owner @{HOME}/.Xauthority r, + + } + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-send mr, + + # file_inherit + /dev/dri/card[0-9]* rw, + + } + + #include if exists +} diff --git a/apparmor.d/xdg-settings b/apparmor.d/xdg-settings new file mode 100644 index 00000000..813ab653 --- /dev/null +++ b/apparmor.d/xdg-settings @@ -0,0 +1,78 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xdg-settings +profile xdg-settings @{exec_path} { + #include + #include + + @{exec_path} r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/which rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/uname rix, + + # When xdg-settings is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Xdg-settings works fine without this. + #/{usr/,}bin/dbus-launch rCx -> dbus, + #/{usr/,}bin/dbus-send rCx -> dbus, + deny /{usr/,}bin/dbus-launch rx, + deny /{usr/,}bin/dbus-send rx, + + /{usr/,}bin/xprop rPx, + /{usr/,}bin/xdg-mime rPx, + + + owner @{PROC}/@{pid}/fd/ r, + + /etc/xdg/xfce4/helpers.rc r, + owner @{HOME}/.config/xfce4/helpers.rc{,.*} rw, + + owner @{HOME}/.Xauthority r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + + profile dbus { + #include + #include + + /{usr/,}bin/dbus-launch mr, + /{usr/,}bin/dbus-send mr, + /{usr/,}bin/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + + @{HOME}/.Xauthority r, + } + + #include if exists +} diff --git a/apparmor.d/xdpyinfo b/apparmor.d/xdpyinfo new file mode 100644 index 00000000..30adae51 --- /dev/null +++ b/apparmor.d/xdpyinfo @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xdpyinfo +profile xdpyinfo @{exec_path} { + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/xfce4-notifyd b/apparmor.d/xfce4-notifyd new file mode 100644 index 00000000..cf9d4ba9 --- /dev/null +++ b/apparmor.d/xfce4-notifyd @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/xfce4/notifyd/xfce4-notifyd +profile xfce4-notifyd @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + @{exec_path} mr, + + /usr/share/**.png r, + + owner /tmp/.org.chromium.Chromium.* rw, + + # For calibre notifications + owner @{HOME}/.config/calibre/resources/images/*.png r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/xfconfd b/apparmor.d/xfconfd new file mode 100644 index 00000000..21a1f02c --- /dev/null +++ b/apparmor.d/xfconfd @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd +profile xfconfd @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-notifyd.xml{,.new} rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/xhost b/apparmor.d/xhost new file mode 100644 index 00000000..5cbcee52 --- /dev/null +++ b/apparmor.d/xhost @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xhost +profile xhost @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/xinit b/apparmor.d/xinit new file mode 100644 index 00000000..4f63caeb --- /dev/null +++ b/apparmor.d/xinit @@ -0,0 +1,139 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xinit +profile xinit @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + signal (receive) set=(usr1) peer=xorg, + + signal (send) set=(term, kill) peer=xorg, + signal (send) set=(hup), + + /etc/X11/xinit/xinitrc rix, + /etc/X11/xinit/xserverrc rix, + + /{usr/,}bin/rm rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/which rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/date rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/head rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/id rix, + + /{usr/,}bin/dbus-update-activation-environment rix, + + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/udevadm rCx -> udevadm, + + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/numlockx rPx, + /{usr/,}bin/xhost rPx, + /{usr/,}bin/glxinfo rPx, + /{usr/,}bin/flatpak rPUx, + + # Allowed GUI sessions to start + /{usr/,}bin/openbox-session rPx, + /{usr/,}bin/enlightenment_start rPUx, + /{usr/,}bin/sway rPUx, + /{usr/,}bin/ssh-agent rPx, + + owner /tmp/file* rw, + + /{usr/,}bin/X rPx, + /{usr/,}bin/Xorg rPx, + + /etc/X11/{,**} r, + + /etc/default/{,*} r, + + # Xsession logs + owner @{HOME}/.xsession-errors w, + + owner @{HOME}/.Xauthority r, + + + profile run-parts { + #include + + /{usr/,}bin/run-parts mr, + + /etc/X11/Xsession.d/ r, + /etc/X11/Xresources/ r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + } + + profile gpg { + #include + + /{usr/,}bin/gpgconf mr, + + /{usr/,}bin/gpg-agent rix, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + @{PROC}/@{pid}/fd/ r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + } + + profile udevadm { + #include + + /{usr/,}bin/udevadm mr, + + /etc/udev/udev.conf r, + + owner @{PROC}/@{pid}/stat r, + @{PROC}/cmdline r, + @{PROC}/1/sched r, + @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, + + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + /{var/,}run/udev/data/* r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + } + + #include if exists +} diff --git a/apparmor.d/xinput b/apparmor.d/xinput new file mode 100644 index 00000000..81231e0d --- /dev/null +++ b/apparmor.d/xinput @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xinput +profile xinput @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + #include if exists +} diff --git a/apparmor.d/xkbcomp b/apparmor.d/xkbcomp new file mode 100644 index 00000000..cbbeb17c --- /dev/null +++ b/apparmor.d/xkbcomp @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xkbcomp +profile xkbcomp @{exec_path} { + #include + #include + + @{exec_path} mr, + + /usr/share/X11/xkb/** r, + + /var/lib/xkb/server-[0-9]*.xkm w, + + owner @{HOME}/.Xauthority r, + + owner @{HOME}/*.{xkb,xkm} rw, + + owner /tmp/server-[0-9].xkm w, + + # file_inherit + owner /dev/tty[0-9]* rw, + deny /var/log/Xorg.[0-9]*.log w, + deny /dev/input/event[0-9]* rw, + owner @{HOME}/.local/share/xorg/Xorg.[0-9].log w, + owner /var/log/lightdm/x-[0-9]*.log w, + /dev/dri/card[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/xorg b/apparmor.d/xorg new file mode 100644 index 00000000..2beb297e --- /dev/null +++ b/apparmor.d/xorg @@ -0,0 +1,159 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# The attach_disconnected flag is needed when xserver is started via startx, or the mouse/keyboard +# won't work. +# operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="xorg" +# name="dev/dri/card*" +# operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="xorg" +# name="dev/input/event*" +@{exec_path} = /{usr/,}bin/X +@{exec_path} += /{usr/,}bin/Xorg +@{exec_path} += /{usr/,}lib/xorg/Xorg +profile xorg @{exec_path} flags=(attach_disconnected) { + #include + #include + #include + #include + #include + #include + #include + ##include + + # When the Xserver is started via startx as a regular user, there's no need for any of the + # following CAPs. When some DM is used instead, some of the CAPs are needed. + # Tested so far with LightDM and SDDM. + # + # In the case of most of the DMs, the sys_admin CAP is needed becasue if it's denied then Xserver + # has the following issue: + # (EE) modeset(0): drmSetMaster failed: Permission denied + #capability sys_admin, + # + # It looks like the Xserver started via LightDM can work just fine without the rest of the + # following CAPs. + # + # This has something to do with attaching the System V shared memory segments: + # shmat(131103, NULL, 0) = -1 EACCES (Permission denied) + #capability ipc_owner, + # + # For SDDM to read some /proc/ and /sys/ files: + #capability dac_read_search, + # + # These can be denied. + #deny capability dac_override, + #deny capability sys_rawio, + deny capability sys_nice, + + # for KDE/SDDM + #capability sys_tty_config, + + signal (send) set=(usr1), + + signal (receive) peer=lightdm, + signal (receive) peer=sddm, + signal (receive) peer=xinit, + + @{exec_path} mrix, + + /{usr/,}bin/dash rix, + /{usr/,}bin/xkbcomp rPx, + /{usr/,}bin/pkexec rPx, + + # Xorg files + /etc/X11/{,**} r, + /{usr/,}lib/xorg/ r, + /{usr/,}lib/xorg/modules/ r, + /{usr/,}lib/xorg/modules/** mr, + + # + /var/lib/xkb/server-[0-9]*.xkm rw, + + # Log files + owner /var/log/Xorg.[0-9].log{,.old} rw, + owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, + owner @{HOME}/.local/share/xorg/ rw, + owner @{HOME}/.local/share/xorg/Xorg.[0-9].log{,.old} rw, + owner @{HOME}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, + owner @{HOME}/.xsession-errors w, + + # TMP files + owner /tmp/.X11-unix/ rw, + owner /tmp/.X11-unix/X* rwk, + owner /tmp/.tX[0-9]-lock rwk, + owner /tmp/.X[0-9]-lock rwkl -> /tmp/.tX[0-9]-lock, + owner /tmp/server-* rwk, + owner /tmp/serverauth.* r, + + # Graphic card modules + /dev/vga_arbiter rw, + @{sys}/module/i915/{,**} r, + + # Input devices (keyboard, mouse, etc) + /dev/input/event[0-9]* rw, + + /usr/share/libinput/ r, + /usr/share/libinput/[0-9][0-9]-*.quirks r, + + # Screen backlight + @{sys}/devices/pci[0-9]*/**/backlight/*/{,max_}brightness r, + @{sys}/devices/pci[0-9]*/**/backlight/*/brightness rw, + + # Display Xserver on a specific TTY + owner /dev/tty[0-9]* rw, + + # Needed for SDDM display manager + /{,var/}run/sddm/{,**} rw, + + # Needed for LightDM display manager + /{,var/}run/lightdm/{,**} rw, + /var/log/lightdm/x-*.log* rw, + + @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, + @{sys}/class/ r, + @{sys}/class/{tty,input,drm}/ r, + @{sys}/devices/**/{uevent,name,id,config} r, + @{sys}/devices/pci[0-9]*/**/ r, + @{sys}/devices/pci[0-9]*/**/boot_vga r, + + /{,var/}run/udev/data/+input* r, # for mouse, keyboard, touchpad + /{,var/}run/udev/data/+platform* r, # for ? + /{,var/}run/udev/data/+drm:card[0-9]-* r, # for screen outputs + #/{,var/}run/udev/data/+dmi* r, # for ? + /{,var/}run/udev/data/+acpi* r, # for ? + /{,var/}run/udev/data/+hid* r, # for HID-Compliant Keyboard + /{,var/}run/udev/data/+pci* r, # for VGA compatible controller + /{,var/}run/udev/data/+usb* r, # for USB mouse and keyboard + /{,var/}run/udev/data/+serio* r, # for touchpad? + /{,var/}run/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* + /{,var/}run/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx + /{,var/}run/udev/data/c13:[0-9]* r, # for /dev/input/* + /{,var/}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + /{,var/}run/udev/data/c226:[0-9]* r, # for /dev/dri/card* + + @{PROC}/@{pids}/cmdline r, + @{PROC}/cmdline r, + @{PROC}/mtrr rw, + + # + /dev/shm/shmfd-* rw, + /dev/shm/#[0-9]*[0-9] rw, + + /etc/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/ r, + /usr/share/glvnd/egl_vendor.d/[0-9][0-9]_*.json r, + + #include if exists +} diff --git a/apparmor.d/xprop b/apparmor.d/xprop new file mode 100644 index 00000000..32ce6044 --- /dev/null +++ b/apparmor.d/xprop @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xprop +profile xprop @{exec_path} { + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + owner @{HOME}/.icons/default/index.theme r, + /usr/share/icons/*/cursors/crosshair r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/xrandr b/apparmor.d/xrandr new file mode 100644 index 00000000..a4bc6352 --- /dev/null +++ b/apparmor.d/xrandr @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xrandr +profile xrandr @{exec_path} { + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/xrdb b/apparmor.d/xrdb new file mode 100644 index 00000000..6fd1b63e --- /dev/null +++ b/apparmor.d/xrdb @@ -0,0 +1,48 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xrdb +profile xrdb @{exec_path} { + #include + #include + + @{exec_path} mr, + + /{usr/,}bin/dash rix, + /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, + /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, + /usr/include/stdc-predef.h r, + + owner @{HOME}/.Xauthority r, + + /etc/X11/Xresources/x11-common r, + + # The location of the .Xresources file + owner @{HOME}/.Xresources r, + owner @{HOME}/.config/.Xresources r, + owner @{HOME}/.config/Xresources/.Xresources r, + # If the .Xresources file includes some additional files + owner @{HOME}/.config/Xresources/* r, + + owner /tmp/xauth-[0-9]*-_[0-9] r, + owner /tmp/kcminit.* r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} + diff --git a/apparmor.d/xsel b/apparmor.d/xsel new file mode 100644 index 00000000..1e3d91d4 --- /dev/null +++ b/apparmor.d/xsel @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xsel +profile xsel @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.xsel.log rw, + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/xsel.log rw, + + owner @{HOME}/.Xauthority r, + owner /tmp/xauth-[0-9]*-_[0-9] r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/xset b/apparmor.d/xset new file mode 100644 index 00000000..c394a82a --- /dev/null +++ b/apparmor.d/xset @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xset +profile xset @{exec_path} { + #include + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + # file_inherit + owner /dev/tty[0-9]* rw, + owner @{HOME}/.xsession-errors w, + deny /dev/dri/card[0-9]* rw, + + #include if exists +} diff --git a/apparmor.d/xsetroot b/apparmor.d/xsetroot new file mode 100644 index 00000000..2cfb417a --- /dev/null +++ b/apparmor.d/xsetroot @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/xsetroot +profile xsetroot @{exec_path} { + #include + #include + + @{exec_path} mr, + + owner @{HOME}/.Xauthority r, + + /etc/X11/cursors/*.theme r, + /usr/share/icons/*/cursors/default r, + /usr/share/icons/*/index.theme r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + #include if exists +} diff --git a/apparmor.d/youtube-dl b/apparmor.d/youtube-dl new file mode 100644 index 00000000..9bfa857a --- /dev/null +++ b/apparmor.d/youtube-dl @@ -0,0 +1,96 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2017-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a +@{ytdl_ext} = [aA]{52,[aA][cC],[cC]3} +@{ytdl_ext} += [mM][kK][aA] +@{ytdl_ext} += [fF][lL][aA][cC] +@{ytdl_ext} += [mM][pP][123cC] +@{ytdl_ext} += [oO][gGmM][aA] +@{ytdl_ext} += [wW]{,[aA]}[vV] +@{ytdl_ext} += [wW][mM]{,[aA]} +@{ytdl_ext} += 3[gG]{[2pP],[pP][2pP]} +@{ytdl_ext} += [aA][sS][fF] +@{ytdl_ext} += [aA][vV][iI] +@{ytdl_ext} += [dD][iI][vV][xX] +@{ytdl_ext} += [mM][124][vV] +@{ytdl_ext} += [mM][kKoO][vV] +@{ytdl_ext} += [mM][pP][4aAeEgG] +@{ytdl_ext} += [mM][pP][eE][gG]{,[124]} +@{ytdl_ext} += [oO][gG][gGmMxXvV] +@{ytdl_ext} += [rR][mM]{,[vV][bB]} +@{ytdl_ext} += [wW][eE][bB][mM] +@{ytdl_ext} += [wW][mMtT][vV] +@{ytdl_ext} += [mM][pP]2[tT] +@{ytdl_ext} += [mM]4[aA] + +# The ytdl specific file extensions +# ytdl, part, tmp, temp +@{ytdl_ext} += [yY][tT][dD][lL] +@{ytdl_ext} += part{,-*} +@{ytdl_ext} += [tT]{,[eE]}[mM][pP] + +@{exec_path} = /{usr/,}bin/youtube-dl +profile youtube-dl @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + signal (receive) set=(term, kill) peer=mpv, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/gcc rix, + /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/rtmpdump rix, + /{usr/,}bin/git rix, + + # Which files youtube-dl should be able to open + owner @{HOME}/ r, + owner @{HOME}/**/ r, + owner /media/**/ r, + owner /{home,media}/**.@{ytdl_ext} rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + /etc/mime.types r, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/youtube-dl/{,**} rw, + + owner @{HOME}/.config/git/config r, + + # External apps + /{usr/,}bin/ffmpeg rPUx, + /{usr/,}bin/ffprobe rPUx, + + #include if exists +} diff --git a/apparmor.d/youtube-viewer b/apparmor.d/youtube-viewer new file mode 100644 index 00000000..e6c1d396 --- /dev/null +++ b/apparmor.d/youtube-viewer @@ -0,0 +1,70 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/youtube-viewer +profile youtube-viewer @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm, + + @{exec_path} r, + /{usr/,}bin/perl r, + + /{usr/,}bin/dash rix, + /{usr/,}bin/infocmp rix, + /{usr/,}bin/stty rix, + + /{usr/,}bin/wget rCx -> wget, + + owner @{HOME}/.config/youtube-viewer/{,*} rw, + owner @{HOME}/.cache/youtube-viewer/{,*} rw, + owner @{HOME}/Downloads/youtube-viewer/{,*} rw, + + /etc/inputrc r, + + # Players + /{usr/,}bin/mpv rPUx, + /{usr/,}bin/vlc rPUx, + /{usr/,}bin/smplayer rPUx, + + /{usr/,}bin/ffmpeg rPUx, + + + profile wget { + #include + #include + #include + #include + #include + + signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm, + + /{usr/,}bin/wget mr, + + /etc/wgetrc r, + + owner @{HOME}/.wget-hsts r, + owner @{HOME}/wget-log{,.[0-9]*} rw, + + } + + #include if exists +} diff --git a/apparmor.d/ytdl b/apparmor.d/ytdl new file mode 100644 index 00000000..19de628e --- /dev/null +++ b/apparmor.d/ytdl @@ -0,0 +1,79 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +# Video/audio extensions: +# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, +# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a +@{ytdl_ext} = [aA]{52,[aA][cC],[cC]3} +@{ytdl_ext} += [mM][kK][aA] +@{ytdl_ext} += [fF][lL][aA][cC] +@{ytdl_ext} += [mM][pP][123cC] +@{ytdl_ext} += [oO][gGmM][aA] +@{ytdl_ext} += [wW]{,[aA]}[vV] +@{ytdl_ext} += [wW][mM]{,[aA]} +@{ytdl_ext} += 3[gG]{[2pP],[pP][2pP]} +@{ytdl_ext} += [aA][sS][fF] +@{ytdl_ext} += [aA][vV][iI] +@{ytdl_ext} += [dD][iI][vV][xX] +@{ytdl_ext} += [mM][124][vV] +@{ytdl_ext} += [mM][kKoO][vV] +@{ytdl_ext} += [mM][pP][4aAeEgG] +@{ytdl_ext} += [mM][pP][eE][gG]{,[124]} +@{ytdl_ext} += [oO][gG][gGmMxXvV] +@{ytdl_ext} += [rR][mM]{,[vV][bB]} +@{ytdl_ext} += [wW][eE][bB][mM] +@{ytdl_ext} += [wW][mMtT][vV] +@{ytdl_ext} += [mM][pP]2[tT] +@{ytdl_ext} += [mM]4[aA] + +# The ytdl specific file extensions +# ytdl, part, tmp, temp +@{ytdl_ext} += [yY][tT][dD][lL] +@{ytdl_ext} += part{,-*} +@{ytdl_ext} += [tT]{,[eE]}[mM][pP] + +@{exec_path} = /{usr/,}bin/ytdl +profile ytdl @{exec_path} { + #include + #include + #include + #include + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/uname rix, + + # Which files youtube-dl should be able to open + owner @{HOME}/ r, + owner @{HOME}/**/ r, + owner /media/**/ r, + owner /{home,media}/**.@{ytdl_ext} rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + /etc/mime.types r, + + # Needed when displaying info on available formats + owner @{HOME}/.cache/youtube-dl/youtube-sigfuncs/js*.json r, + + #include if exists +} diff --git a/apparmor.d/zenmap b/apparmor.d/zenmap new file mode 100644 index 00000000..d7f07bd3 --- /dev/null +++ b/apparmor.d/zenmap @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/{zenmap,nmapfe} +profile zenmap @{exec_path} { + #include + #include + #include + #include + #include + #include + #include + + signal (send) set=(term, kill) peer=nmap, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/nmap rPx, + + owner @{HOME}/ r, + owner @{HOME}/.zenmap/ rw, + owner @{HOME}/.zenmap/** rwk, + # For nmap xml files + owner @{HOME}/*.xml rw, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /usr/share/zenmap/** r, + + owner /tmp/* rw, + owner /tmp/zenmap-stdout-* rw, + + #include if exists +}