From 29b0e3e2e357a900c55ffc2be9b42320ea8195fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 9 Dec 2023 16:14:22 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/video.d/complete | 5 ++ apparmor.d/groups/browsers/firefox | 46 +++++++------------ apparmor.d/groups/browsers/firefox-glxtest | 2 +- apparmor.d/groups/browsers/firefox-vaapitest | 2 +- .../groups/gnome/gnome-shell-calendar-server | 6 +++ apparmor.d/groups/gnome/goa-daemon | 9 +--- apparmor.d/groups/gnome/gsd-keyboard | 14 +----- apparmor.d/profiles-g-l/hw-probe | 12 +---- .../profiles-m-r/mate-notification-daemon | 1 + apparmor.d/profiles-s-z/torsocks | 1 + 10 files changed, 34 insertions(+), 64 deletions(-) create mode 100644 apparmor.d/abstractions/video.d/complete diff --git a/apparmor.d/abstractions/video.d/complete b/apparmor.d/abstractions/video.d/complete new file mode 100644 index 00000000..4a719eab --- /dev/null +++ b/apparmor.d/abstractions/video.d/complete @@ -0,0 +1,5 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 356b0736..d1da16fb 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -59,42 +59,28 @@ profile firefox @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.mozilla.firefox_beta.*, deny dbus send bus=system path=/org/freedesktop/hostname1, - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - peer=(name=org.freedesktop.ScreenSaver), - - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member=EnumerateDevices - peer=(name=org.freedesktop.UPower), - - dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit - interface=org.freedesktop.PowerManagement.Inhibit - member=Inhibit - peer=(name=org.freedesktop.PowerManagement), + dbus bind bus=session name=org.mozilla.firefox.*, + dbus receive bus=session path=/org/mozilla/firefox/* + interface=org.mozilla.firefox + peer=(name=:*, label=@{profile_name}), + dbus send bus=session path=/org/mozilla/firefox/* + interface=org.mozilla.firefox + peer=(name=org.mozilla.firefox.*, label=@{profile_name}), + dbus bind bus=session name=org.mpris.MediaPlayer2.firefox.*, dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} peer=(name="{org.freedesktop.DBus,:*}"), - dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.mpris.MediaPlayer2.Playlists member=GetPlaylists peer=(name=:*), - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=GetTreeFromDevice - peer=(name=:*, label=gvfsd-metadata), - - dbus send bus=session path=/org/mozilla/firefox/Remote - interface=org.mozilla.firefox - peer=(name=org.mozilla.firefox.*, label=@{profile_name}), - - dbus receive bus=session path=/org/mozilla/firefox/Remote - interface=org.mozilla.firefox - peer=(name=:*, label=@{profile_name}), + dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit + interface=org.freedesktop.PowerManagement.Inhibit + member=Inhibit + peer=(name=org.freedesktop.PowerManagement), @{exec_path} mrix, @@ -110,7 +96,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/pingsender rPx, @{lib_dirs}/plugin-container rPx, @{lib_dirs}/vaapitest rPx, - @{lib}/mozilla/kmozillahelper rPUx, + @{lib}/mozilla/kmozillahelper rPUx, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @{lib}/mozilla/plugins/ r, @@ -192,8 +178,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /var/tmp/ r, owner /tmp/user/@{uid}/ rw, owner /tmp/user/@{uid}/* rwk, - owner /tmp/user/@{uid}/Temp-*/ rw, - owner /tmp/user/@{uid}/Temp-*/* rwk, + owner /tmp/user/@{uid}/Temp-@{uuid}/ rw, + owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk, owner /tmp/user/@{uid}/@{name}/ rw, owner /tmp/user/@{uid}/@{name}/* rwk, owner /tmp/@{name}/ rw, @@ -206,7 +192,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner /tmp/MozillaBackgroundTask-*-removeDirectory/ rw, owner /tmp/MozillaBackgroundTask-*-removeDirectory/** rwk, owner /tmp/Mozillato-be-removed-cachePurge-* k, - owner /tmp/Temp-*/ rw, + owner /tmp/Temp-@{uuid}/ rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 8cfaf293..1d645067 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -25,7 +25,7 @@ profile firefox-glxtest @{exec_path} { owner @{config_dirs}/firefox/*/.parentlock rw, - owner /tmp/firefox/.parentlock rw, + owner /tmp/@{name}/.parentlock rw, @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/class r, diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index 85300a7e..a5a3b2ac 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -25,7 +25,7 @@ profile firefox-vaapitest @{exec_path} { /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, - owner /tmp/firefox/.parentlock rw, + owner /tmp/@{name}/.parentlock rw, @{sys}/devices/@{pci}/{irq,revision,resource} r, @{sys}/devices/@{pci}/config r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 873bde84..d9062fec 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -17,6 +17,12 @@ profile gnome-shell-calendar-server @{exec_path} { dbus receive bus=session path=/org/gnome/Shell/CalendarServer interface=org.gnome.Shell.CalendarServer peer=(name=:*, label=gnome-shell), + dbus (send receive) bus=session path=/org/gnome/Shell/CalendarServer + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + dbus send bus=session path=/org/gnome/Shell/CalendarServer + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**} interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index f4408837..a60a4c4b 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -13,8 +13,8 @@ profile goa-daemon @{exec_path} { include include include + include include - include include include include @@ -39,15 +39,8 @@ profile goa-daemon @{exec_path} { member=GetAll peer=(name=:*, label=goa-identity-service), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /var/lib/gdm{3,}/.config/dconf/user r, owner @{user_config_dirs}/goa-1.0/ rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 84df7f49..d985ab17 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -18,27 +18,17 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, dbus bind bus=session name=org.gnome.SettingsDaemon.Keyboard, - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/X11/xkb/** r, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, @@ -47,8 +37,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index ac9bab53..3c929c90 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -231,18 +231,8 @@ profile hw-probe @{exec_path} { owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/dev r, + include if exists } - profile curl { - include - include - include - include - - @{bin}/curl mr, - - } - - include if exists } diff --git a/apparmor.d/profiles-m-r/mate-notification-daemon b/apparmor.d/profiles-m-r/mate-notification-daemon index 2f8c60e7..f393a5cc 100644 --- a/apparmor.d/profiles-m-r/mate-notification-daemon +++ b/apparmor.d/profiles-m-r/mate-notification-daemon @@ -11,6 +11,7 @@ profile mate-notification-daemon @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index 0b32ffbe..b0560ad5 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -18,6 +18,7 @@ profile torsocks @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/* rPUx, + @{lib}/uwt/uwtexec rPUx, @{bin}/getcap rix, /etc/tor/torsocks.conf r,