From 2a20b69c65d7eb3372110ee7fb283f9d6db206cf Mon Sep 17 00:00:00 2001 From: nobody43 Date: Mon, 3 Apr 2023 01:41:31 +0000 Subject: [PATCH] readers --- apparmor.d/groups/apps/calibre | 68 +++++++++++++++++++++---- apparmor.d/groups/bus/dbus-daemon | 1 + apparmor.d/profiles-a-f/atril | 50 +++++++++++++++++++ apparmor.d/profiles-a-f/atrild | 12 +++++ apparmor.d/profiles-a-f/evince | 83 +++++++++++++++++++++++++++++++ 5 files changed, 204 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index d2fb41f2..4487594e 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -33,15 +33,60 @@ profile calibre @{exec_path} { include include include + include + include + include capability sys_ptrace, network netlink raw, + # also denies network mounts + deny network inet, + deny network inet6, + + unix (send, receive) type=stream peer=(addr=none, label=xorg), + unix (bind, listen) type=stream addr="@*-calibre-gui.socket", + unix (bind) type=stream addr="@calibre-*", + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*), @{exec_path} mrix, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}{s,}bin/ldconfig rix, + /{usr/,}{s,}bin/ldconfig{,.real} rix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/file rix, /{usr/,}bin/uname rix, @@ -58,16 +103,16 @@ profile calibre @{exec_path} { /usr/share/hwdata/pnp.ids r, /usr/share/qt5/**.pak r, /usr/share/qt5ct/** r, + /usr/share/zoneinfo-icu/**.res r, /etc/fstab r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{HOME}/ r, + owner "@{HOME}/Calibre Library/{,**}" rw, + owner "@{HOME}/Calibre Library/metadata.db" rwk, owner @{user_documents_dirs}/{,**} rwl, owner @{user_books_dirs}/{,**} rwl, owner @{user_torrents_dirs}/{,**} rwl, @@ -98,7 +143,8 @@ profile calibre @{exec_path} { owner /tmp/calibre_*_tmp_*/{,**} rw, owner /tmp/calibre-*/{,**} rw, owner /tmp/[0-9]*-*/ rw, - owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, + owner /tmp/[0-9]*-*/** rwl, +# owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, # newer AA version owner /tmp/* rw, owner /dev/shm/#[0-9]*[0-9] rw, @@ -106,19 +152,21 @@ profile calibre @{exec_path} { @{sys}/devices/pci[0-9]*/**/irq r, @{PROC}/ r, - @{PROC}/@{pid}/net/route r, + @{PROC}/@{pids}/net/route r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, - deny @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/stat{,m} r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/status r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{PROC}/@{pid}/cmdline r, deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + deny @{PROC}/sys/kernel/random/boot_id r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index ef0156cd..ff9c44ab 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -49,6 +49,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}lib/telepathy/mission-control-5 rPx, + /{usr/,}lib/atril/atrild rPx, /usr/share/gnome-documents/org.gnome.Documents rPx, /usr/share/org.gnome.Characters/org.gnome.Characters rPx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index aa9211f5..3ea5a707 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -17,9 +17,51 @@ profile atril @{exec_path} { include include include + include + include + include + include network netlink raw, + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*), + + dbus send bus=session path=/org/mate/atril/{,**} + peer=(name=org.freedesktop.DBus, label=atrild), # all interfaces and members + + dbus send bus=session path=/org/mate/atril/Daemon + interface=org.mate.atril.Daemon + member={RegisterDocument,UnregisterDocument} + peer=(name=org.mate.atril.Daemon), # no peer's labels + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -44,6 +86,8 @@ profile atril @{exec_path} { owner @{user_cache_dirs}/atril/{,**} rw, + owner @{user_share_dirs}/ r, + owner /tmp/gtkprint_* rw, owner /tmp/settings*.ini rw, owner /tmp/settings*.ini.* rw, @@ -65,3 +109,9 @@ profile atril @{exec_path} { include if exists } + +profile /{usr/,}bin/atril-previewer { + include + + include if exists +} diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index c9cf4324..c2bd244a 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -9,6 +9,18 @@ include @{exec_path} = /{usr/,}lib/atril/atrild profile atrild @{exec_path} { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus (send, receive) bus=session path=/org/mate/atril/** + peer=(name="{:*,org.freedesktop.DBus}", label=atril), # all interfaces and members + + dbus bind bus=session + name=org.mate.atril.Daemon, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 65b5e464..e11aaabe 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -15,10 +15,70 @@ profile evince @{exec_path} { include include include + include + include + include + # also denies network mounts deny network inet, deny network inet6, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={Set,GetTreeFromDevice} + peer=(name=:*), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=:*), + + dbus send bus=session path=/org/gnome/evince/Daemon + interface=org.gnome.evince.Daemon + member=RegisterDocument + peer=(name=org.gnome.evince.Daemon), # no peer's labels + + dbus (send, receive) bus=session path=/org/gnome/evince/{,**} + peer=(name="{org.gnome.evince.Daemon,org.freedesktop.DBus,:*}", label=@{profile_name}), # all interfaces and members + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus bind bus=session + name=org.gnome.evince.Daemon, + @{exec_path} rix, /{usr/,}bin/{,ba,da}sh rix, @@ -51,3 +111,26 @@ profile evince @{exec_path} { include if exists } + +profile evince-previewer /{,usr/}bin/evince-previewer { + include + include + include + + unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label=xorg), + + /{,usr/}bin/evince-previewer mr, + + # X-tiny + owner @{HOME}/.Xauthority r, + + include if exists +} + +profile evince-thumbnailer /{,usr/}bin/evince-thumbnailer { + include + + /{,usr/}bin/evince-thumbnailer mr, + + include if exists +}