From 449c8d3e3ab3ce0f434c730c7c3169fc691f5425 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Oct 2024 13:16:03 +0100 Subject: [PATCH 01/64] tests(integration): add more tests. --- tests/bats/chsh.bats | 28 +++++++++++++++++++++++ tests/bats/lsusb.bats | 28 +++++++++++++++++++++++ tests/bats/useradd.bats | 49 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+) create mode 100644 tests/bats/chsh.bats create mode 100644 tests/bats/lsusb.bats create mode 100644 tests/bats/useradd.bats diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats new file mode 100644 index 00000000..42cfa115 --- /dev/null +++ b/tests/bats/chsh.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=chsh +@test "chsh: [l]ist available shells" { + chsh --list-shells + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a specific login [s]hell for the current user" { + chsh --shell /usr/bin/bash + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a login [s]hell for a specific user" { + sudo chsh --shell /usr/bin/sh root + aa_check +} diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats new file mode 100644 index 00000000..530841a2 --- /dev/null +++ b/tests/bats/lsusb.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=lsusb +@test "lsusb: List all the USB devices available" { + lsusb + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List the USB hierarchy as a tree" { + lsusb -t + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List verbose information about USB devices" { + lsusb --verbose + aa_check +} diff --git a/tests/bats/useradd.bats b/tests/bats/useradd.bats new file mode 100644 index 00000000..833e0160 --- /dev/null +++ b/tests/bats/useradd.bats @@ -0,0 +1,49 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified shell" { + sudo useradd --shell /bin/bash --create-home user2 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified user ID" { + sudo useradd --uid 3000 user3 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { + sudo useradd --groups adm user4 + aa_check +} + + +# bats test_tags=useradd +@test "useradd: Create a new system user without the home directory" { + sudo useradd --system sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user" { + sudo userdel user3 + sudo userdel user4 + sudo userdel sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user along with the home directory and mail spool" { + sudo userdel --remove user2 + aa_check +} From 5240dcbdd1290644041afa034c73c27f01b76e55 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Oct 2024 13:38:42 +0100 Subject: [PATCH 02/64] fix(test): minor fixes. --- apparmor.d/profiles-a-f/chsh | 11 +++-------- apparmor.d/profiles-s-z/useradd | 4 ++-- tests/bats/chsh.bats | 2 +- tests/bats/lsusb.bats | 6 +++--- 4 files changed, 9 insertions(+), 14 deletions(-) diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index 61885ed4..f73ae670 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,26 +10,19 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include include + include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # gpasswd is a SETUID binary capability setuid, network netlink raw, @{exec_path} mr, - owner @{PROC}/@{pid}/loginuid r, - /etc/shells r, /etc/passwd rw, @@ -44,6 +37,8 @@ profile chsh @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 42ab8760..0fbb9aa6 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -53,9 +53,9 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.* w, + @{HOME}/.** w, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, + /etc/skel/{,.**} r, profile pam_tally2 { include diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index 42cfa115..5365fea6 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -11,7 +11,7 @@ setup_file() { # bats test_tags=chsh @test "chsh: [l]ist available shells" { - chsh --list-shells + chsh --list-shells || true aa_check } diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats index 530841a2..8f646d89 100644 --- a/tests/bats/lsusb.bats +++ b/tests/bats/lsusb.bats @@ -11,18 +11,18 @@ setup_file() { # bats test_tags=lsusb @test "lsusb: List all the USB devices available" { - lsusb + lsusb || true aa_check } # bats test_tags=lsusb @test "lsusb: List the USB hierarchy as a tree" { - lsusb -t + lsusb -t || true aa_check } # bats test_tags=lsusb @test "lsusb: List verbose information about USB devices" { - lsusb --verbose + lsusb --verbose || true aa_check } From 51dfe0d35f0bbc8b5dc01e34c8ab8697033f6d24 Mon Sep 17 00:00:00 2001 From: barmogund Date: Sat, 9 Nov 2024 20:04:15 +0100 Subject: [PATCH 03/64] Add support for tlp (#585) --- apparmor.d/profiles-g-l/hdparm | 2 +- apparmor.d/profiles-s-z/tlp | 102 +++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/tlp diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 606540bb..a4fa3497 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/hdparm profile hdparm @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # re-writing sector *: BLKFLSBUF failed: Permission denied diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp new file mode 100644 index 00000000..af5f6706 --- /dev/null +++ b/apparmor.d/profiles-s-z/tlp @@ -0,0 +1,102 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# Copyright (C) 2024 Barmogund +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tlp +profile tlp @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + capability dac_read_search, + capability net_admin, + capability sys_nice, + capability sys_rawio, + capability sys_tty_config, + + network netlink raw, + + ptrace read peer=unconfined, + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + @{bin}/logger rix, + @{sh_path} rix, + @{bin}/cp rix, + @{bin}/chmod rix, + @{bin}/flock rix, + @{bin}/sort rix, + @{bin}/head rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/tr rix, + @{bin}/ethtool rix, + @{bin}/grep rix, + @{bin}/touch rix, + @{bin}/cat rix, + @{bin}/rm rix, + @{bin}/id rPx, + @{bin}/iw rPx, + @{bin}/hdparm rPx, + @{bin}/uname rpx, + @{bin}/udevadm rCx -> udevadm, + /usr/share/tlp/tlp-readconfs rix, + + / r, + + /etc/tlp.d/ r, + /etc/tlp.d/** rw, + /etc/tlp.conf rw, + + /usr/share/tlp/** r, + + /var/lib/power-profiles-daemon/state.ini rw, + + @{run}/udev/data/+platform:* r, + owner @{run}/tlp/* rw, + owner @{run}/tlp/lock_tlp rwk, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/module/pcie_aspm/parameters/policy rw, + @{sys}/module/snd_hda_intel/parameters/power_save rw, + @{sys}/module/snd_hda_intel/parameters/power_save_controller rw, + @{sys}/firmware/acpi/platform_profile* rw, + @{sys}/firmware/acpi/pm_profile* rw, + + owner @{PROC}/sys/vm/laptop_mode rw, + owner @{PROC}/sys/vm/dirty_writeback_centisecs rw, + owner @{PROC}/sys/vm/dirty_expire_centisecs rw, + owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, + owner @{PROC}/sys/kernel/nmi_watchdog rw, + + /dev/disk/by-id/ r, + /dev/tty rw, + + profile systemctl { + include + include + + include if exists + } + + profile udevadm { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor From 7b9d412f02f1474968ddd3278dd900ff9d805b45 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:00:45 +0000 Subject: [PATCH 04/64] feat(profile): gnome: allow receiving signal from gdm-session-worker as well as gdm. --- apparmor.d/groups/bus/at-spi2-registryd | 3 ++- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/freedesktop/xdg-document-portal | 3 ++- apparmor.d/groups/freedesktop/xdg-permission-store | 5 +++-- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 8ead7a4e..fd970709 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -16,7 +16,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term) peer=gdm, + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=accessibility name=org.a11y.atspi #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 53218d82..8d8ae666 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -32,6 +32,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace read, signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} dbus receive bus=session path=/org/freedesktop/portal/desktop diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index d47b830e..75ec9517 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -22,7 +22,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/, - signal (receive) set=(term) peer=gdm, + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, ptrace (read), diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 298bc059..441692de 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -15,8 +15,9 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { capability sys_nice, - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm, + signal receive set=(term hup kill) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.PermissionStore From 3c0b83d1b0238765af951860b1713cb5dfdc7b46 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:02:07 +0000 Subject: [PATCH 05/64] feat(profile): improve some systemd profiles. --- apparmor.d/groups/systemd/systemd-cat | 5 ++--- apparmor.d/groups/systemd/systemd-cgls | 6 +++++- apparmor.d/groups/systemd/systemd-escape | 1 - apparmor.d/groups/systemd/systemd-sysusers | 6 ++++++ apparmor.d/groups/systemd/systemd-userdbd | 2 ++ apparmor.d/groups/systemd/userdbctl | 5 ++++- 6 files changed, 19 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index 967d776d..fd202c18 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -9,14 +9,13 @@ include @{exec_path} = @{bin}/systemd-cat profile systemd-cat @{exec_path} { include + include + include capability net_admin, @{exec_path} mr, - @{bin}/cat rix, - @{bin}/echo rix, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index d0ded5ee..e74280f6 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -10,7 +10,11 @@ include profile systemd-cgls @{exec_path} { include - ptrace (read), + capability sys_ptrace, + + ptrace read, + + signal send set=cont peer=child-pager, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape index 4a542497..469ccc94 100644 --- a/apparmor.d/groups/systemd/systemd-escape +++ b/apparmor.d/groups/systemd/systemd-escape @@ -10,7 +10,6 @@ include profile systemd-escape @{exec_path} { include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index e1ca76d5..254faeca 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -16,8 +16,12 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { capability fsetid, capability net_admin, + signal send set=cont peer=child-pager, + @{exec_path} mr, + @{pager_path} rPx -> child-pager, + # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, @@ -40,6 +44,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { /etc/.#{group,gshadow}@{hex} rw, /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/cgroup r, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index a38e455f..ce698dc9 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -25,7 +25,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{lib}/systemd/systemd-userwork rix, + /etc/gshadow r, /etc/shadow r, + /etc/machine-id r, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index b4081eac..97625db3 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -21,11 +21,14 @@ profile userdbctl @{exec_path} { @{pager_path} rPx -> child-pager, - /etc/shadow r, /etc/gshadow r, + /etc/shadow r, + + /etc/machine-id r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/uid_map r, include if exists From d30b673e99d4bc5931470353e6edfea5139e40ed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:04:08 +0000 Subject: [PATCH 06/64] feat(profile): ip: improve support for network ns. --- apparmor.d/profiles-g-l/ip | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 1c870d94..2797ae2b 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,19 +20,20 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount options=(rw, bind, rshared) -> /{var/,}run/netns/, - mount options=(rw, rslave) -> /, - mount options=(rw, bind) / -> /{var/,}run/netns/*, - mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf, - mount fstype=sysfs -> /sys/, + mount options=(rw, rshared) -> @{run}/netns/, + mount options=(rw, rslave) -> /, + mount options=(rw, bind) @{att}/ -> @{run}/netns/*, + mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf, + mount fstype=sysfs -> /sys/, umount @{run}/netns/*, umount /sys/, @{exec_path} mrix, - @{sh_path} rix, + @{shells_path} rUx, + @{bin}/sudo rPx, - / r, + @{att}/ r, /etc/iproute2/{,**} r, /etc/netns/*/ r, From 8f904132e19a9d13e57bc0216aaafc4dfa182c7f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:06:43 +0000 Subject: [PATCH 07/64] feat(profile): improve libreoffice tmp files. --- apparmor.d/profiles-g-l/libreoffice | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 2198ad92..6e1a2d07 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -83,12 +83,13 @@ profile libreoffice @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{tmp}/ r, - owner @{tmp}/@{rand6} rwk, - owner @{tmp}/*.tmp/{,**} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/@{rand6} rwk, + owner @{tmp}/@{u64} rw, + owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, owner @{run}/user/@{uid}/#@{int} rw, From d2f7ee0bb4fcbf4f355b1ad1516bddfde0353dd2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:10:18 +0000 Subject: [PATCH 08/64] feat(abs): add the devices-usb-read abstraction. --- apparmor.d/abstractions/devices-usb | 19 +++------------- apparmor.d/abstractions/devices-usb-read | 29 ++++++++++++++++++++++++ apparmor.d/profiles-g-l/lsusb | 2 +- 3 files changed, 33 insertions(+), 17 deletions(-) create mode 100644 apparmor.d/abstractions/devices-usb-read diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 1a85a010..85f8f6b9 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -5,24 +5,11 @@ abi , - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} rwk, + include - @{sys}/class/ r, - @{sys}/class/usbmisc/ r, + /dev/bus/usb/@{int}/@{int} wk, - @{sys}/bus/ r, - @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, - - @{sys}/devices/**/usb@{int}/{,**} rw, - - # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{sys}/devices/**/usb@{int}/{,**} w, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read new file mode 100644 index 00000000..6bd0c801 --- /dev/null +++ b/apparmor.d/abstractions/devices-usb-read @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{int}/@{int} r, + + @{sys}/class/ r, + @{sys}/class/usbmisc/ r, + + @{sys}/bus/ r, + @{sys}/bus/usb/ r, + @{sys}/bus/usb/devices/{,**} r, + + @{sys}/devices/**/usb@{int}/{,**} r, + + # Udev data about usb devices (~equal to content of lsusb -v) + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb index b628b366..40e902a8 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -11,7 +11,7 @@ include profile lsusb @{exec_path} { include include - include + include capability net_admin, From 802259e99483afc19310e1f220a241c5f507bbe7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:15:22 +0000 Subject: [PATCH 09/64] feat(abs): add support for xe intel driver. observation_paranoid is the new perf_stream_paranoid See https://lists.freedesktop.org/archives/igt-dev/2024-July/075082.html fix #601 --- apparmor.d/abstractions/mesa.d/complete | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 8ac3ad7f..a1916636 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -26,4 +26,6 @@ owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + @{PROC}/sys/dev/xe/observation_paranoid r, + # vim:syntax=apparmor From b0436029f02fb2a4c8a92be2150cd16e460bf019 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:20:00 +0000 Subject: [PATCH 10/64] fix(profile): ensure cpu policy can be set regardless of the CPU. fix #602 --- apparmor.d/groups/freedesktop/cpupower | 9 ++------- apparmor.d/profiles-m-r/power-profiles-daemon | 3 +-- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower index b9811b1a..2d58faff 100644 --- a/apparmor.d/groups/freedesktop/cpupower +++ b/apparmor.d/groups/freedesktop/cpupower @@ -28,15 +28,10 @@ profile cpupower @{exec_path} { @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/ r, @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/** r, - - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw, @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw, - - @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, - @{sys}/devices/system/cpu/cpu@{int}/online r, + @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, /dev/cpu/@{int}/msr r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index b3968280..fe4e3572 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -40,8 +40,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, From d448e3ea087fafe5779089af7733af7541aa8b95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:23:02 +0000 Subject: [PATCH 11/64] fix(profile): ensure keepass can check program calling its secret service. fix #582 --- apparmor.d/profiles-g-l/keepassxc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index f48113b0..90a65a84 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -83,12 +83,13 @@ profile keepassxc @{exec_path} { owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, - @{PROC}/@{pids}/comm r, - @{PROC}/modules r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, + @{PROC}/modules r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/shm/#@{int} rw, /dev/tty rw, From 0ec65c5653cb35fff71975892e36850386a495a3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:33:51 +0000 Subject: [PATCH 12/64] chore: fix trailing whitespace. --- apparmor.d/profiles-g-l/keepassxc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 90a65a84..d2dee61a 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -88,7 +88,7 @@ profile keepassxc @{exec_path} { @{PROC}/modules r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, /dev/shm/#@{int} rw, From 3e0583fd8e1a7ae1bb7e17cdc55763d799c124e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:46:33 +0000 Subject: [PATCH 13/64] feat(profile): various small improvement. --- apparmor.d/groups/browsers/chromium-sandbox | 2 +- apparmor.d/groups/freedesktop/dconf-service | 3 +- apparmor.d/groups/kde/startplasma | 1 - apparmor.d/profiles-m-r/mullvad-setup | 4 ++ apparmor.d/profiles-s-z/thunderbird | 2 +- apparmor.d/profiles-s-z/tlp | 45 +++++++++++---------- apparmor.d/profiles-s-z/transmission | 2 +- 7 files changed, 31 insertions(+), 28 deletions(-) diff --git a/apparmor.d/groups/browsers/chromium-sandbox b/apparmor.d/groups/browsers/chromium-sandbox index 98ebf5b6..f32af44c 100644 --- a/apparmor.d/groups/browsers/chromium-sandbox +++ b/apparmor.d/groups/browsers/chromium-sandbox @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/chromium/chrome-sandbox -profile chromium-sandbox @{exec_path} { +profile chromium-sandbox @{exec_path} flags=(attach_disconnected) { include capability dac_override, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index ccebcad7..790f03be 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,dconf/}dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include + include include include @@ -38,8 +39,6 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index f10e80d7..773122f5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -37,7 +37,6 @@ profile startplasma @{exec_path} { /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, - /etc/locale.alias r, /etc/machine-id r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index 77ac0704..b30da1c1 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,6 +13,10 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 997b81fb..9a50dafa 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -54,7 +54,7 @@ profile thunderbird @{exec_path} { owner @{tmp}/MozillaMailnews/*.msf rw, owner @{tmp}/nscopy.tmp rw, owner @{tmp}/nsemail{,-@{int}}.eml rw, - owner @{tmp}/nsma rw, + owner @{tmp}/nsma{,-@{int}} rw, owner @{tmp}/pid-@{pid}/{,**} w, /dev/urandom w, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index af5f6706..0378e62f 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -29,27 +29,27 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/systemctl rCx -> systemctl, - @{bin}/logger rix, @{sh_path} rix, - @{bin}/cp rix, - @{bin}/chmod rix, - @{bin}/flock rix, - @{bin}/sort rix, - @{bin}/head rix, - @{bin}/mktemp rix, - @{bin}/readlink rix, - @{bin}/tr rix, - @{bin}/ethtool rix, - @{bin}/grep rix, - @{bin}/touch rix, @{bin}/cat rix, - @{bin}/rm rix, + @{bin}/chmod rix, + @{bin}/cp rix, + @{bin}/ethtool rix, + @{bin}/flock rix, + @{bin}/grep rix, + @{bin}/hdparm rPx, + @{bin}/head rix, @{bin}/id rPx, @{bin}/iw rPx, - @{bin}/hdparm rPx, + @{bin}/logger rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sort rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/udevadm rCx -> udevadm, @{bin}/uname rpx, - @{bin}/udevadm rCx -> udevadm, /usr/share/tlp/tlp-readconfs rix, / r, @@ -58,14 +58,16 @@ profile tlp @{exec_path} flags=(attach_disconnected) { /etc/tlp.d/** rw, /etc/tlp.conf rw, - /usr/share/tlp/** r, + /usr/share/tlp/{,**} r, + /var/lib/tlp/{,**} rw, /var/lib/power-profiles-daemon/state.ini rw, - @{run}/udev/data/+platform:* r, - owner @{run}/tlp/* rw, + owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, + @{run}/udev/data/+platform:* r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, @{sys}/module/pcie_aspm/parameters/policy rw, @{sys}/module/snd_hda_intel/parameters/power_save rw, @@ -73,11 +75,10 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, - owner @{PROC}/sys/vm/laptop_mode rw, - owner @{PROC}/sys/vm/dirty_writeback_centisecs rw, - owner @{PROC}/sys/vm/dirty_expire_centisecs rw, owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, owner @{PROC}/sys/kernel/nmi_watchdog rw, + owner @{PROC}/sys/vm/dirty_*_centisecs rw, + owner @{PROC}/sys/vm/laptop_mode rw, /dev/disk/by-id/ r, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index a6ccb7e2..2a39981d 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/transmission-{gtk,qt} -profile transmission @{exec_path} { +profile transmission @{exec_path} flags=(attach_disconnected) { include include include From 4d11367bec96dc012cc333e0264b59625e0bcfbb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:55:21 +0000 Subject: [PATCH 14/64] feat(profile): ensure flatpak can run programs in games dir. fix #586 --- apparmor.d/abstractions/common/app | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 4cb47c9d..f2201bd6 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -61,7 +61,7 @@ owner @{HOME}/** rwlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, - owner @{user_games_dirs}/** rm, + owner @{user_games_dirs}/** rmix, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner @{tmp}/** rmwk, From 72d45c2cf510061b23f8060899443a3a6d549bee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Nov 2024 20:47:07 +0000 Subject: [PATCH 15/64] feat(tunable): better definition of the version var. --- apparmor.d/tunables/multiarch.d/system | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0a95d183..0dc81689 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -130,7 +130,7 @@ @{group}=@{user} # Semantic version -@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},} +@{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} # OpenSUSE does not have the same multiarch structure @{multiarch}+=*-suse-linux* #aa:only opensuse From 0206e04b3fd6802cf6e3565d35aa6afe25a0ce7d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Nov 2024 21:18:16 +0000 Subject: [PATCH 16/64] build: ensure build task get the proper profile name. --- pkg/prebuild/builder/core.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go index b45075e1..93b73d76 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/prebuild/builder/core.go @@ -6,6 +6,7 @@ package builder import ( "fmt" + "strings" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" @@ -33,7 +34,7 @@ type Option struct { func NewOption(file *paths.Path) *Option { return &Option{ - Name: file.Base(), + Name: strings.TrimSuffix(file.Base(), ".apparmor.d"), File: file, } } From 9a3adc66d00bf41aba532b7c8c7327f36fe087e7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Nov 2024 22:18:39 +0000 Subject: [PATCH 17/64] feat(profile): small profile update. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/groups/freedesktop/xdg-document-portal | 1 + apparmor.d/groups/gnome/loupe | 6 +++++- apparmor.d/profiles-a-f/cctk | 1 + apparmor.d/profiles-g-l/libreoffice | 1 + apparmor.d/profiles-s-z/scrcpy | 1 - 6 files changed, 9 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 0bae4e0d..666387d0 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -186,6 +186,7 @@ @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @@ -201,7 +202,6 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 75ec9517..3c60c1cf 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -41,6 +41,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, + / r, owner @{att}/ r, owner @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index fb7bef34..10853ea8 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -30,6 +30,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { / r, + owner @{user_cache_dirs}/glycin/{,**} rw, + @{run}/mount/utab r, @{sys}/fs/cgroup/user.slice/cpu.max r, @@ -51,7 +53,9 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal (receive) set=(kill) peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-image-rs rix, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 40c5199b..af7436f3 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -11,6 +11,7 @@ profile cctk @{exec_path} { include include + capability dac_read_search, capability mknod, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 6e1a2d07..63634d78 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -84,6 +84,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, owner @{tmp}/@{u64} rw, owner @{tmp}/*.tmp/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 3d33e8a3..83af575d 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -25,7 +25,6 @@ profile scrcpy @{exec_path} { @{bin}/adb rPx, /usr/share/scrcpy/{,*} r, - /usr/share/icons/{,**} r, /etc/machine-id r, From ebd6d5473348419c287df45d087b80174b7dd00b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:36:18 +0000 Subject: [PATCH 18/64] feat(profile): update systemd profiles. --- apparmor.d/groups/systemd/hostnamectl | 2 ++ apparmor.d/groups/systemd/systemd-cgls | 1 + apparmor.d/groups/systemd/systemd-logind | 3 ++- apparmor.d/groups/systemd/systemd-modules-load | 1 + apparmor.d/groups/systemd/systemd-oomd | 3 ++- apparmor.d/groups/systemd/systemd-timesyncd | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 1 + 7 files changed, 11 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 65e6ed11..91fc31b5 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -14,6 +14,8 @@ profile hostnamectl @{exec_path} { capability net_admin, + unix bind type=stream addr=@@{hex16}/bus/hostnamectl/system, + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index e74280f6..b25f861b 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemd-cgls profile systemd-cgls @{exec_path} { include + include capability sys_ptrace, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 53dd0acf..206c0957 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -94,10 +94,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{att}/@{run}/systemd/notify w, + @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/@{int}{,.ref} rw, - @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index abb437f8..d3527c22 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -13,6 +13,7 @@ profile systemd-modules-load @{exec_path} { include capability net_admin, + capability perfmon, capability sys_module, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index e5dce916..469f72b0 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -24,9 +24,10 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, + @{att}/@{run}/systemd/notify w, + @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, - @{run}/systemd/notify rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index de544c9d..9f9136bc 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -34,9 +34,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, + @{att}/@{run}/systemd/notify rw, + @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, - @{run}/systemd/notify rw, @{run}/systemd/timesyncd.conf.d/{,**} r, owner @{run}/systemd/timesync/synchronized rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index dae5ae67..b8a0c7e4 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -21,6 +21,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability fsetid, capability mknod, capability net_admin, + capability perfmon, capability sys_admin, capability sys_module, capability sys_ptrace, From cf2998b7bdd2bbfb2034161e74c1e802aa4b0de4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:37:28 +0000 Subject: [PATCH 19/64] feat(abs): cover more commonly attached path. --- apparmor.d/abstractions/attached/base | 2 ++ apparmor.d/abstractions/base.d/complete | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 33c422bb..1f37de00 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -7,6 +7,8 @@ abi , + @{att}/@{run}/systemd/journal/socket w, + deny @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 3e10a94f..3b5ecaf4 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -33,6 +33,4 @@ @{PROC}/sys/kernel/core_pattern r, - deny /apparmor/.null rw, - # vim:syntax=apparmor From 4108d6a987fac8f85ec3c1886c31ba1dbfab77a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:42:31 +0000 Subject: [PATCH 20/64] feat(profile): update some core profiles. --- apparmor.d/groups/freedesktop/polkitd | 2 ++ apparmor.d/groups/freedesktop/upower | 2 ++ apparmor.d/groups/freedesktop/xdg-permission-store | 1 + apparmor.d/groups/network/netplan.script | 2 ++ apparmor.d/groups/ubuntu/apport | 8 +++++--- apparmor.d/groups/virt/containerd | 11 +++++++---- apparmor.d/profiles-a-f/chsh | 1 + apparmor.d/profiles-s-z/snap | 5 +++++ apparmor.d/profiles-s-z/snap-update-ns | 6 ++++++ apparmor.d/profiles-s-z/snapd-apparmor | 1 + apparmor.d/profiles-s-z/uuidd | 1 + 11 files changed, 33 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 089e6174..a8df0261 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -53,6 +53,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 1cb7c958..2aeb4ee8 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -10,6 +10,8 @@ include @{exec_path} = @{bin}/upower profile upower @{exec_path} { include + include + include # Needed? audit capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 441692de..08cfc840 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -43,6 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 53297493..65d644e7 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -49,6 +49,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, + @{att}/@{run}/systemd/private rw, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index cd018711..11aad0da 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -22,9 +22,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_ptrace, - ptrace (read) peer=gnome-shell, - ptrace (read) peer=snap.cups.cupsd, - ptrace (read) peer=tracker-extract, + ptrace read, @{exec_path} mr, @@ -36,6 +34,10 @@ profile apport @{exec_path} flags=(attach_disconnected) { /usr/share/apport/{,**} r, /etc/apport/report-ignore/{,**} r, + /etc/login.defs r, + + /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.list r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 62751564..4f73ff98 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -83,6 +83,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/docker/containerd/{,**} rwk, @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, + @{run}/nri/ w, + @{run}/nri/nri.sock rw, @{run}/systemd/notify w, /tmp/cri-containerd.apparmor.d@{int} rwl, @@ -94,12 +96,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, /dev/bsg/ r, /dev/bus/ r, diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index f73ae670..f8a2af5c 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 912ab1a8..a8630400 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -29,6 +29,7 @@ profile snap @{exec_path} { mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, #aa:dbus own bus=session name=io.snapcraft.Launcher + #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" @@ -45,6 +46,7 @@ profile snap @{exec_path} { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -108,6 +110,9 @@ profile snap @{exec_path} { network unix stream, + owner @{run}/user/@{uid}/systemd/notify rw, + owner @{run}/user/@{uid}/systemd/private rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 3021a1ad..345c089e 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -23,11 +23,17 @@ profile snap-update-ns @{exec_path} { mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, + umount /snap/**, umount /var/lib/dhcp/, + umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, + umount /usr/share/xml/iso-codes/, @{exec_path} mr, + @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, + /usr/share/xml/iso-codes/ w, + /var/lib/snapd/mount/{,*} r, / r, diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index e7a3b494..6d873982 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -17,6 +17,7 @@ profile snapd-apparmor @{exec_path} { @{bin}/systemd-detect-virt rPx, @{bin}/apparmor_parser rPx, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index 56b89fa2..c1e14d01 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -17,6 +17,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, + @{run}/uuidd/request w, @{att}/@{run}/uuidd/request w, include if exists From c741f7432357809f0393bce647f16654240f570b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:43:52 +0000 Subject: [PATCH 21/64] feat(profile): fractal uses bwrap for loading image. --- apparmor.d/profiles-a-f/fractal | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 7f14df0e..6dfb8445 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -21,10 +21,14 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal send set=kill peer=fractal//bwrap, + @{exec_path} mr, @{open_path} rPx -> child-open-help, + @{bin}/bwrap rCx -> bwrap, + /usr/share/glycin-loaders/{,**} r, /usr/share/xml/iso-codes/{,**} r, owner @{tmp}/.@{rand6} rw, @@ -37,6 +41,22 @@ profile fractal @{exec_path} flags=(attach_disconnected) { /dev/ r, + profile bwrap flags=(attach_disconnected) { + include + include + + signal receive set=kill peer=fractal, + + @{bin}/bwrap mr, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + include if exists } From 5611001e5b4744ee5981afcccb88a12a7c58d755 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 21:42:31 +0000 Subject: [PATCH 22/64] tests: add more integration tests for core tools. --- tests/bats/chsh.bats | 2 +- tests/bats/common.bash | 5 ++- tests/bats/cpuid.bats | 28 +++++++++++++++ tests/bats/df.bats | 6 ++++ tests/bats/dfc.bats | 34 +++++++++++++++++++ tests/bats/homectl.bats | 58 ++++++++++++++++++++++++++++++++ tests/bats/hostnamectl.bats | 27 +++++++++++++++ tests/bats/ip.bats | 18 ++++++---- tests/bats/sync.bats | 22 ++++++++++++ tests/bats/systemd-ac-power.bats | 23 +++++++++++++ tests/bats/systemd-analyze.bats | 29 ++++++++++++++++ tests/bats/systemd-cat.bats | 22 ++++++++++++ tests/bats/systemd-cgls.bats | 29 ++++++++++++++++ tests/bats/systemd-id128.bats | 41 ++++++++++++++++++++++ tests/bats/systemd-sysusers.bats | 28 +++++++++++++++ tests/bats/upower.bats | 29 ++++++++++++++++ tests/bats/userdbctl.bats | 41 ++++++++++++++++++++++ tests/bats/uuidd.bats | 29 ++++++++++++++++ tests/bats/w.bats | 22 ++++++++++++ 19 files changed, 484 insertions(+), 9 deletions(-) create mode 100644 tests/bats/cpuid.bats create mode 100644 tests/bats/dfc.bats create mode 100644 tests/bats/homectl.bats create mode 100644 tests/bats/hostnamectl.bats create mode 100644 tests/bats/sync.bats create mode 100644 tests/bats/systemd-ac-power.bats create mode 100644 tests/bats/systemd-analyze.bats create mode 100644 tests/bats/systemd-cat.bats create mode 100644 tests/bats/systemd-cgls.bats create mode 100644 tests/bats/systemd-id128.bats create mode 100644 tests/bats/systemd-sysusers.bats create mode 100644 tests/bats/upower.bats create mode 100644 tests/bats/userdbctl.bats create mode 100644 tests/bats/uuidd.bats create mode 100644 tests/bats/w.bats diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index 5365fea6..f66eb1f9 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -17,7 +17,7 @@ setup_file() { # bats test_tags=chsh @test "chsh: Set a specific login [s]hell for the current user" { - chsh --shell /usr/bin/bash + echo "$PASSWORD" | chsh --shell /usr/bin/bash aa_check } diff --git a/tests/bats/common.bash b/tests/bats/common.bash index c08d1375..f99c3c19 100644 --- a/tests/bats/common.bash +++ b/tests/bats/common.bash @@ -6,6 +6,9 @@ export BATS_LIB_PATH=${BATS_LIB_PATH:-/usr/lib/bats} load "$BATS_LIB_PATH/bats-support/load" +# User password for sudo commands +export PASSWORD=${PASSWORD:-user} + export XDG_CACHE_DIR=".cache" export XDG_CONFIG_DIR=".config" export XDG_DATA_DIR=".local/share" @@ -100,7 +103,7 @@ aa_check() { local now duration logs now=$(date +%s) - duration=$((now - _START + 2)) + duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" diff --git a/tests/bats/cpuid.bats b/tests/bats/cpuid.bats new file mode 100644 index 00000000..1b1226e2 --- /dev/null +++ b/tests/bats/cpuid.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=cpuid +@test "cpuid: Display information for all CPUs" { + cpuid + aa_check +} + +# bats test_tags=cpuid +@test "cpuid: Display information only for the current CPU" { + cpuid -1 + aa_check +} + +# bats test_tags=cpuid +@test "cpuid: Display raw hex information with no decoding" { + cpuid -r + aa_check +} diff --git a/tests/bats/df.bats b/tests/bats/df.bats index be284321..ea9d3f44 100644 --- a/tests/bats/df.bats +++ b/tests/bats/df.bats @@ -21,6 +21,12 @@ setup_file() { aa_check } +# bats test_tags=df +@test "df: Display the filesystem and its disk usage containing the given file or directory" { + df apparmor.d/ + aa_check +} + # bats test_tags=df @test "df: Include statistics on the number of free inodes" { df --inodes diff --git a/tests/bats/dfc.bats b/tests/bats/dfc.bats new file mode 100644 index 00000000..8a1d1891 --- /dev/null +++ b/tests/bats/dfc.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=dfc +@test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { + dfc + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { + dfc -a + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display filesystems without color" { + dfc -c never + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display filesystems containing "ext" in the filesystem type" { + dfc -t ext + aa_check +} diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats new file mode 100644 index 00000000..2fee7907 --- /dev/null +++ b/tests/bats/homectl.bats @@ -0,0 +1,58 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=homectl +@test "homectl: Display help" { + homectl --no-pager --help + aa_check +} + +# bats test_tags=homectl +@test "homectl: Create a user account and their associated home directory" { + sudo homectl create user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: List user accounts and their associated home directories" { + homectl list + aa_check +} + +# bats test_tags=homectl +@test "homectl: Change the password for a specific user" { + sudo homectl passwd user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Run a shell or a command with access to a specific home directory" { + sudo homectl with user2 -- ls -al /home/user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Lock or unlock a specific home directory" { + sudo homectl lock user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { + sudo homectl resize user2 1G + aa_check +} + +# bats test_tags=homectl +@test "homectl: Remove a specific user and the associated home directory" { + sudo homectl remove user2 + aa_check +} diff --git a/tests/bats/hostnamectl.bats b/tests/bats/hostnamectl.bats new file mode 100644 index 00000000..dd410257 --- /dev/null +++ b/tests/bats/hostnamectl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup() { + aa_setup +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Get the hostname of the computer" { + hostnamectl +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Get the location of the computer" { + hostnamectl location +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Set the hostname of the computer" { + name=$(hostnamectl hostname) + sudo hostnamectl set-hostname "new" + sudo hostnamectl set-hostname "$name" +} diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 980495d2..47f16ccd 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -15,15 +15,9 @@ setup_file() { aa_check } -# bats test_tags=ip -@test "ip: List interfaces with brief network layer info" { - ip -brief address - aa_check -} - # bats test_tags=ip @test "ip: List interfaces with brief link layer info" { - ip -brief link + ip link aa_check } @@ -39,3 +33,13 @@ setup_file() { aa_check } +# bats test_tags=ip +@test "ip: Manage network namespace" { + sudo ip netns add foo + sudo ip netns list + sudo ip netns exec foo bash -c "pwd" + sudo ip netns delete foo + aa_check +} + + diff --git a/tests/bats/sync.bats b/tests/bats/sync.bats new file mode 100644 index 00000000..fba657ff --- /dev/null +++ b/tests/bats/sync.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=sync +@test "sync: Flush all pending write operations on all disks" { + sync + aa_check +} + +# bats test_tags=sync +@test "sync: Flush all pending write operations on a single file to disk" { + sudo sync / + aa_check +} diff --git a/tests/bats/systemd-ac-power.bats b/tests/bats/systemd-ac-power.bats new file mode 100644 index 00000000..78f68d13 --- /dev/null +++ b/tests/bats/systemd-ac-power.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-ac-power +@test "systemd-ac-power: Report whether we are connected to an external power source." { + systemd-ac-power || true + aa_check +} + +# bats test_tags=systemd-ac-power +@test "systemd-ac-power: Check if battery is discharging and low" { + systemd-ac-power --low || true + aa_check +} + diff --git a/tests/bats/systemd-analyze.bats b/tests/bats/systemd-analyze.bats new file mode 100644 index 00000000..3f6144a7 --- /dev/null +++ b/tests/bats/systemd-analyze.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: List all running units, ordered by the time they took to initialize" { + systemd-analyze --no-pager blame + aa_check +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: Print a tree of the time-critical chain of units" { + systemd-analyze --no-pager critical-chain + aa_check +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: Show security scores of running units" { + systemd-analyze --no-pager security + aa_check +} + diff --git a/tests/bats/systemd-cat.bats b/tests/bats/systemd-cat.bats new file mode 100644 index 00000000..595a6002 --- /dev/null +++ b/tests/bats/systemd-cat.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-cat +@test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { + systemd-cat pwd + aa_check +} + +# bats test_tags=systemd-cat +@test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { + echo apparmor.d-test-suite | systemd-cat + aa_check +} diff --git a/tests/bats/systemd-cgls.bats b/tests/bats/systemd-cgls.bats new file mode 100644 index 00000000..b5bb89de --- /dev/null +++ b/tests/bats/systemd-cgls.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display the whole control group hierarchy on your system" { + systemd-cgls --no-pager + aa_check +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display a control group tree of a specific resource controller" { + systemd-cgls --no-pager io + aa_check +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { + systemd-cgls --no-pager --unit systemd-logind + aa_check +} + diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats new file mode 100644 index 00000000..3b18bd03 --- /dev/null +++ b/tests/bats/systemd-id128.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Generate a new random identifier" { + systemd-id128 new + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Print the identifier of the current machine" { + systemd-id128 machine-id + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Print the identifier of the current boot" { + systemd-id128 boot-id + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Print the identifier of the current service invocation (this is available in systemd services)" { + systemd-id128 invocation-id + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { + systemd-id128 new --uuid + aa_check +} + diff --git a/tests/bats/systemd-sysusers.bats b/tests/bats/systemd-sysusers.bats new file mode 100644 index 00000000..f4230d6b --- /dev/null +++ b/tests/bats/systemd-sysusers.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { + systemd-sysusers --cat-config + aa_check +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { + systemd-sysusers --dry-run + aa_check +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Create users and groups from all configuration file" { + sudo systemd-sysusers + aa_check +} diff --git a/tests/bats/upower.bats b/tests/bats/upower.bats new file mode 100644 index 00000000..73afc18e --- /dev/null +++ b/tests/bats/upower.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=upower +@test "upower: Display power and battery information" { + upower --dump + aa_check +} + +# bats test_tags=upower +@test "upower: List all power devices" { + upower --enumerate + aa_check +} + +# bats test_tags=upower +@test "upower: Display version" { + upower --version + aa_check +} + diff --git a/tests/bats/userdbctl.bats b/tests/bats/userdbctl.bats new file mode 100644 index 00000000..6169de44 --- /dev/null +++ b/tests/bats/userdbctl.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=userdbctl +@test "userdbctl: List all known user records" { + userdbctl --no-pager user + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: Show details of a specific user" { + userdbctl --no-pager user "$USER" + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: List all known groups" { + userdbctl --no-pager group + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: Show details of a specific group" { + sudo userdbctl --no-pager group "$USER" + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: List all services currently providing user/group definitions to the system" { + userdbctl --no-pager services + aa_check +} + diff --git a/tests/bats/uuidd.bats b/tests/bats/uuidd.bats new file mode 100644 index 00000000..e13653e3 --- /dev/null +++ b/tests/bats/uuidd.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=uuidd +@test "uuidd: Generate a random UUID" { + uuidd --random + aa_check +} + +# bats test_tags=uuidd +@test "uuidd: Generate a bulk number of random UUIDs" { + uuidd --random --uuids 10 + aa_check +} + +# bats test_tags=uuidd +@test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { + uuidd --time + aa_check +} + diff --git a/tests/bats/w.bats b/tests/bats/w.bats new file mode 100644 index 00000000..7f358aac --- /dev/null +++ b/tests/bats/w.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=w +@test "w: Display information about all users who are currently logged in" { + w + aa_check +} + +# bats test_tags=w +@test "w: Display information about a specific user" { + w root + aa_check +} From e4f0f066485b1bea40f40b13b9b476119a133391 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 21:43:42 +0000 Subject: [PATCH 23/64] tests(ci): install integration tests requirements. --- .github/workflows/main.yml | 1 + tests/requirements.sh | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 tests/requirements.sh diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b07fc899..c4f143f0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -83,6 +83,7 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support + bash tests/requirements.sh - name: Install apparmor.d run: | diff --git a/tests/requirements.sh b/tests/requirements.sh new file mode 100644 index 00000000..91adc003 --- /dev/null +++ b/tests/requirements.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Dependencies for the bats integration tests + +set -eu + +# shellcheck source=/dev/null +_lsb_release() { + . /etc/os-release || exit 1 + echo "$ID" +} +DISTRIBUTION="$(_lsb_release)" + +case "$DISTRIBUTION" in +arch) + ;; +debian | ubuntu | whonix) + sudo apt-get install -y \ + cpuid dfc systemd-userdbd + ;; +opensuse*) + ;; +*) ;; +esac From 66455a9251151f1e45175af9be9048496df3e884 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 22:18:11 +0000 Subject: [PATCH 24/64] feat(profile): improve support for some profiles. Most of the rules have come from the integration tests. --- apparmor.d/abstractions/bus/org.freedesktop.hostname1 | 5 +++++ apparmor.d/groups/bus/ibus-engine-simple | 3 +-- apparmor.d/groups/bus/ibus-x11 | 3 +-- apparmor.d/groups/cron/cron-apport | 2 +- apparmor.d/groups/freedesktop/polkitd | 1 + apparmor.d/groups/freedesktop/upower | 3 +-- apparmor.d/groups/freedesktop/xdg-desktop-portal | 5 +++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 1 + apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gpg/dirmngr | 1 + apparmor.d/groups/gpg/keyboxd | 1 + apparmor.d/groups/network/netplan.script | 5 ++++- apparmor.d/groups/systemd/systemd-analyze | 2 ++ apparmor.d/groups/systemd/systemd-cgls | 4 ++++ apparmor.d/groups/systemd/systemd-hostnamed | 3 ++- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 1 + apparmor.d/groups/systemd/systemd-oomd | 1 + apparmor.d/groups/systemd/systemd-resolved | 3 ++- apparmor.d/groups/systemd/systemd-timedated | 2 +- apparmor.d/groups/systemd/systemd-userdbd | 3 +++ apparmor.d/profiles-a-f/cpuid | 1 + apparmor.d/profiles-a-f/fprintd | 1 - apparmor.d/profiles-g-l/ip | 5 ++++- apparmor.d/profiles-g-l/lspci | 1 + apparmor.d/profiles-m-r/pinentry-gnome3 | 1 + apparmor.d/profiles-s-z/snap | 1 + apparmor.d/profiles-s-z/sync | 5 ++--- apparmor.d/profiles-s-z/uuidd | 4 ++-- 29 files changed, 50 insertions(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 8957c4cd..7dcb187f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -14,6 +14,11 @@ member={Get,GetAll} peer=(name=org.freedesktop.hostname1), + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index ab3b2b2f..f9f9870f 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 1096594a..39d5eccc 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index 61aeaf88..1579115a 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -18,7 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, - /var/crash/*.crash w, + /var/crash/* w, include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index a8df0261..14edf32c 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -54,6 +54,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner /var/lib/polkit{,-1}/.cache/ rw, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 2aeb4ee8..931b4750 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,8 +13,7 @@ profile upower @{exec_path} { include include - # Needed? - audit capability sys_nice, + #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 8d8ae666..489a0426 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -63,8 +63,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, + / r, + @{att}/.flatpak-info r, + owner @{att}/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d4fa3dc1..ff398f25 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -30,6 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a2dd6d90..d8ae32fd 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -17,7 +17,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -83,6 +82,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 167e8757..2fbdfb08 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/dirmngr profile dirmngr @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index a6eadd90..51ec8b13 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnupg/keyboxd profile keyboxd @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 65d644e7..7f558a1c 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -36,7 +36,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { include include - @{run}/udev/control rw, + capability net_admin, + + @{att}/@{run}/udev/control rw, + @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 09d432b2..65feae3f 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, + unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system, + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index b25f861b..9bfde3e6 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -10,6 +10,8 @@ include profile systemd-cgls @{exec_path} { include include + include + include capability sys_ptrace, @@ -17,6 +19,8 @@ profile systemd-cgls @{exec_path} { signal send set=cont peer=child-pager, + unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index a169a59d..878884ad 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/machine-info rw, /etc/os-release r, + @{att}/@{run}/systemd/notify rw, + @{run}/systemd/default-hostname rw, - @{run}/systemd/notify rw, @{run}/udev/data/+dmi:* r, # for motherboard info @{sys}/devices/virtual/dmi/id/ r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 32f02f0d..058c59db 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/X11/xorg.conf.d/.#*.confd* rw, /etc/X11/xorg.conf.d/*.conf rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 206c0957..012a8978 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -95,6 +95,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 469f72b0..91288866 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -25,6 +25,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf.d/{,**} r, @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 4f9f965f..f6867f43 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -41,8 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, + @{att}/@{run}/systemd/notify w, + @{run}/systemd/netif/links/* r, - @{run}/systemd/notify rw, @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e2b6caaa..dd964f3b 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, /dev/rtc@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index ce698dc9..c57327bc 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -30,6 +30,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/machine-id r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index c374d468..332c1735 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/cpuid profile cpuid @{exec_path} { include + include capability mknod, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index b3034dfe..182d9013 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -29,7 +29,6 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/journal/socket rw, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 2797ae2b..56c6f5f5 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -30,8 +30,10 @@ profile ip @{exec_path} flags=(attach_disconnected) { umount /sys/, @{exec_path} mrix, + + # To run command with 'ip netns exec' @{shells_path} rUx, - @{bin}/sudo rPx, + @{bin}/sudo rPx, @{att}/ r, @@ -40,6 +42,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { /usr/share/iproute2/{,**} r, + @{run}/netns/ r, @{run}/netns/* rw, owner @{run}/netns/ rwk, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 3f0fe5d9..b390346b 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -35,6 +35,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}-@{int}/address r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f332ef21..a955a9c6 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include + include include signal (receive) set=(int) peer=gpg-agent, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index a8630400..aa1f6b2b 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -42,6 +42,7 @@ profile snap @{exec_path} { @{exec_path} mrix, @{bin}/mount rix, + @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 907def2b..85a408df 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -13,9 +13,8 @@ profile sync @{exec_path} { @{exec_path} mr, - # Common paths where sync is used to flush all write operations on a single file to disk - # TODO: /** rw, ? - /boot/initrd-*-default rw, + # All paths where sync can be used to flush all write operations on a single file to disk + /** rw, include if exists } diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index c1e14d01..4d75a70e 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -17,8 +17,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, - @{run}/uuidd/request w, - @{att}/@{run}/uuidd/request w, + @{run}/uuidd/request rw, + @{att}/@{run}/uuidd/request rw, include if exists } From 9cb3ea244c388ed69ce5bc54baceb7daf294fb05 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 22:18:41 +0000 Subject: [PATCH 25/64] feat(profile): add homectl. --- apparmor.d/groups/systemd/homectl | 39 +++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 apparmor.d/groups/systemd/homectl diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl new file mode 100644 index 00000000..aaae97d6 --- /dev/null +++ b/apparmor.d/groups/systemd/homectl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/homectl +profile homectl @{exec_path} { + include + include + include + include + include + + capability net_admin, + capability sys_resource, + + signal send peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + + @{exec_path} mr, + + @{bin}/pkttyagent rpx, + + @{pager_path} rPx -> child-pager, + + /etc/machine-id r, + + owner @{PROC}/@{pids}/cgroup r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 4c5761ee7105484f421088b56ed3ae59873b7ca7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 22:25:08 +0000 Subject: [PATCH 26/64] fix(profile): linting issue. --- apparmor.d/profiles-s-z/snap-update-ns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 345c089e..3ce5bfdd 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -27,7 +27,7 @@ profile snap-update-ns @{exec_path} { umount /snap/**, umount /var/lib/dhcp/, umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, - umount /usr/share/xml/iso-codes/, + umount /usr/share/xml/iso-codes/, @{exec_path} mr, From f814bb4caf20a79677d28dcc097451b5e0e26f2b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 22:31:16 +0000 Subject: [PATCH 27/64] build(debian): disable make check by default on pkg build. Enable it manually in github action. --- .github/workflows/main.yml | 10 ++++++++++ debian/rules | 3 +++ 2 files changed, 13 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c4f143f0..27c8e3d8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,6 +3,16 @@ name: Ubuntu on: [push, pull_request, workflow_dispatch] jobs: + check: + runs-on: ubuntu-24.04 + steps: + - name: Check out repository code + uses: actions/checkout@v4 + + - name: Run basic profile linter check + run: | + make check + build: runs-on: ${{ matrix.os }} strategy: diff --git a/debian/rules b/debian/rules index 6e7d2d6e..a30a693d 100755 --- a/debian/rules +++ b/debian/rules @@ -8,3 +8,6 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: + +# do not run 'make check' by default as it can be long for dev package +override_dh_auto_test: From 7c148fca95c42107ad2d0d3bd3ec409aee2b2e4f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 11:25:04 +0000 Subject: [PATCH 28/64] feat(profile): small profile improvments. --- apparmor.d/abstractions/bus/org.freedesktop.systemd1 | 2 +- apparmor.d/profiles-a-f/blkid | 1 + apparmor.d/profiles-g-l/issue-generator | 2 +- apparmor.d/profiles-s-z/useradd | 1 + apparmor.d/profiles-s-z/w | 2 +- 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 115aefd7..41b08a80 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -4,7 +4,7 @@ abi , - dbus send bus=system path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 903e2cb6..27207bdb 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -41,6 +41,7 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{PROC}/swaps r, # Other possible location of the cache file + /dev/.blkid.tab.old rwl -> /dev/.blkid.tab, /dev/.blkid.tab{,-@{rand6}} rw, /dev/blkid.tab.old rwl -> /dev/blkid.tab, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 3602a1a1..8f2d53f7 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -28,7 +28,7 @@ profile issue-generator @{exec_path} { /etc/sysconfig/issue-generator r, @{run}/agetty.reload w, - @{run}/issue r, + @{run}/issue rw, @{run}/issue.@{rand10} rw, @{run}/issue.d/{,**} r, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 0fbb9aa6..5768f134 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -54,6 +54,7 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, @{HOME}/.** w, + @{HOME}/**/ r, /var/lib/*/{,*} rw, /etc/skel/{,.**} r, diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 3745015c..b23a7bc2 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -24,7 +24,7 @@ profile w @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/@{int} r, + @{run}/systemd/sessions/* r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, From 24ea5f0a3acbccdbf5ddb4157c48d5df413de9a0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 12:23:36 +0000 Subject: [PATCH 29/64] feat(tunable): add p_dbus_* variables. This allow for better integration for system when dbus is not confined. --- apparmor.d/abstractions/bus-accessibility | 4 ++-- apparmor.d/abstractions/bus-session | 4 ++-- apparmor.d/abstractions/bus-system | 4 ++-- apparmor.d/abstractions/bus/org.a11y | 2 +- apparmor.d/groups/_full/systemd | 2 +- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/freedesktop/accounts-daemon | 2 +- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/freedesktop/geoclue | 2 +- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/polkitd | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 6 +++--- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 10 +++++----- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/nautilus | 4 ++-- apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/ssh/ssh-agent-launch | 2 +- apparmor.d/groups/systemd/busctl | 2 +- apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-resolved | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/rtkit-daemon | 2 +- apparmor.d/profiles-s-z/udisksd | 2 +- apparmor.d/tunables/multiarch.d/profiles | 5 +++++ docs/development/guidelines.md | 2 +- 33 files changed, 47 insertions(+), 42 deletions(-) diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index ee0a16b9..eba12457 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -7,12 +7,12 @@ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 811787ba..95325d7d 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -11,12 +11,12 @@ dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0bfe9681..87044300 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -7,12 +7,12 @@ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{run}/dbus/system_bus_socket rw, diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 357c0647..bb31a079 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -36,7 +36,7 @@ dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9e1737a2..9f611cf3 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{bin}/** Px, @{lib}/** Px, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 19f187cc..9d7ba9b7 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -43,7 +43,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus/Bus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fd970709..9838ba40 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -20,7 +20,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=accessibility name=org.a11y.atspi - #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility + #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}" dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 539a2a57..42758585 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ffdfe08a..26a07d8a 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index ec1633a9..383360ad 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -29,7 +29,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f6f4c12a..e2b1b22d 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 212898a8..fa1e44d0 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixProcessID - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 14edf32c..5e3d3ee7 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 489a0426..57b17b65 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -47,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index b0f5e81a..6bafb132 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f74afdea..06846960 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 42c1265a..babd12c3 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} - peer=(name=org.freedesktop.DBus label=dbus-session), + peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d8ae32fd..7cc73949 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), # Session bus dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/ interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket @@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/*/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3c2ef3da..d9b0e5e2 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 51bcf2e1..c7478292 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e4990a3e..890e5b34 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/dbus interface=org.freedesktop.DBus member=NameHasOwner - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e20ea48b..de4644bd 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -70,7 +70,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 7e0422c5..c9f0c637 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index dcb60493..3cea03c9 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -33,7 +33,7 @@ profile busctl @{exec_path} { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 878884ad..46786c65 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -25,7 +25,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 012a8978..6b01f514 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index f6867f43..f693cbee 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -34,7 +34,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 6cee42be..45b2ccfb 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -42,7 +42,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system path=/org/freedesktop/UDisks2/Manager interface=org.freedesktop.UDisks2.Manager diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b97c5e9a..6847476e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -43,7 +43,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index ddb62cb5..d3a88d78 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -26,7 +26,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b89d9c72..530373ef 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -67,7 +67,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index a24cefc0..2d1fccb3 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -11,4 +11,9 @@ @{p_systemd}=unconfined @{p_systemd_user}=unconfined +# Name of the dbus daemon profiles +@{p_dbus_system}=dbus-system +@{p_dbus_session}=dbus-session +@{p_dbus_accessibility}=dbus-accessibility + # vim:syntax=apparmor diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index f207e58a..fad90158 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.: dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), ``` If there is no predictable label it can be omitted. From 3013c1ea5a978c585f58a07463274ee1ee2b7bc0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 12:31:17 +0000 Subject: [PATCH 30/64] ci(github): set local tunable for github actions. --- .github/workflows/main.yml | 1 + tests/github.local | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 tests/github.local diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 27c8e3d8..59449cb4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -97,6 +97,7 @@ jobs: - name: Install apparmor.d run: | + sudo install -Dm0644 tests/github.local /etc/apparmor.d/tunables/global.d/github.local sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service diff --git a/tests/github.local b/tests/github.local new file mode 100644 index 00000000..b4119bc5 --- /dev/null +++ b/tests/github.local @@ -0,0 +1,9 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Local tunables addition for bats integration tests on Github Action + +@{p_dbus_system}+=unconfined +@{p_dbus_session}+=unconfined +@{p_dbus_accessibility}+=unconfined From 194d18191ed9d65f279768576cfdc7a4907752a4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 12:37:02 +0000 Subject: [PATCH 31/64] fix(profile): ensure useradd can fully populate the skelleton. --- apparmor.d/profiles-s-z/useradd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 5768f134..d27a3420 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -53,7 +53,7 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.** w, + @{HOME}/** wl, @{HOME}/**/ r, /var/lib/*/{,*} rw, /etc/skel/{,.**} r, From b4bcb2f16e61ae8d5a8393e84d092b7940999871 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 13:31:06 +0000 Subject: [PATCH 32/64] fix(profile): minor fixes. --- apparmor.d/profiles-g-l/ip | 8 +++++--- apparmor.d/profiles-s-z/sync | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 56c6f5f5..bcb521c0 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,11 +20,13 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount options=(rw, rshared) -> @{run}/netns/, - mount options=(rw, rslave) -> /, + mount fstype=sysfs -> /sys/, + mount options=(rw bind) / -> @{run}/netns/*, + mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf, - mount fstype=sysfs -> /sys/, + mount options=(rw, rshared) -> @{run}/netns/, + mount options=(rw, rslave) -> /, umount @{run}/netns/*, umount /sys/, diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 85a408df..9b47b4df 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -14,7 +14,7 @@ profile sync @{exec_path} { @{exec_path} mr, # All paths where sync can be used to flush all write operations on a single file to disk - /** rw, + /{,**} rw, include if exists } From 4e5f4cb06a393e7f50b87a194eeff45c4b2c24e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 19:04:27 +0000 Subject: [PATCH 33/64] feat: profiles and integration tests improvments. Add the udbus variable to be used in `unix bind` rule for dbus. --- apparmor.d/abstractions/app/sudo | 8 ++++---- apparmor.d/abstractions/app/systemctl | 2 +- apparmor.d/abstractions/attached/base | 2 ++ apparmor.d/groups/_full/systemd-user | 4 ++-- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/bus/dbus-system | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/network/ModemManager | 8 ++++++-- apparmor.d/groups/network/NetworkManager | 9 +++++++-- apparmor.d/groups/network/netplan.script | 16 ++++++++++++++-- apparmor.d/groups/network/nm-online | 1 + apparmor.d/groups/network/nmcli | 4 ++++ apparmor.d/groups/ssh/ssh-keygen | 1 + apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/busctl | 2 +- apparmor.d/groups/systemd/hostnamectl | 1 + apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/systemd-analyze | 2 +- apparmor.d/groups/systemd/systemd-cgls | 2 +- apparmor.d/groups/systemd/systemd-homed | 3 +++ apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-oomd | 2 +- apparmor.d/groups/systemd/systemd-timedated | 2 +- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- apparmor.d/groups/systemd/systemd-update-utmp | 2 +- .../groups/systemd/systemd-user-runtime-dir | 2 +- apparmor.d/groups/ubuntu/update-notifier | 4 ++-- apparmor.d/profiles-g-l/login | 2 +- apparmor.d/profiles-m-r/needrestart-apt-pinvoke | 2 ++ apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/profiles-s-z/snapd | 2 +- apparmor.d/profiles-s-z/sudo | 2 -- apparmor.d/profiles-s-z/udisksd | 4 ++++ apparmor.d/tunables/multiarch.d/system | 3 +++ docs/development/directives.md | 2 +- tests/bats/homectl.bats | 1 + tests/bats/snap.bats | 1 - tests/bats/systemd-id128.bats | 6 ------ tests/requirements.sh | 2 +- 43 files changed, 81 insertions(+), 47 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 385ded54..4c7de6ba 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,10 +24,10 @@ network netlink raw, # PAM - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.logi1.Manager - member=CreateSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + unix bind type=stream addr=@@{udbus}/bus/sudo/system, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 7857f992..8489bb27 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -10,7 +10,7 @@ ptrace read peer=@{p_systemd}, - unix bind type=stream addr=@@{hex16}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/, @{bin}/systemctl mr, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 1f37de00..9a53d154 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -7,8 +7,10 @@ abi , + @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, + deny /apparmor/.null rw, deny @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 32228f21..919c5345 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -32,8 +32,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { ptrace read peer=@{p_systemd}, - unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system, - unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9d7ba9b7..eb94791d 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (bind) type=stream addr=@@{hex16}/bus/apt/system, + unix (bind) type=stream addr=@@{udbus}/bus/apt/system, unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index e4f6b61e..d0fdad4b 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, - unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, + unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, @{exec_path} mr, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 6ef4e44e..e4eef275 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -33,7 +33,7 @@ profile dbus-system flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - #aa:dbus own bus=system name=org.freedesktop.DBus + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 4ca2b21b..59e6df78 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, - unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system, + unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8ac535f1..b92ad8e6 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -25,9 +25,13 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+pnp:* r, + @{run}/udev/data/+serial*:* r, @{run}/udev/data/+usb:* r, + @{run}/udev/data/+vmbus:* r, @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @@ -43,9 +47,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/revision r, - @{sys}/devices/virtual/net/*/ r, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, include if exists diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index de4644bd..de3a180b 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -47,6 +47,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + peer=(name=org.freedesktop.nm_dispatcher), + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -128,10 +132,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+rfkill:* r, @{run}/udev/data/n@{int} r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, + @{sys}/devices/**/@{uuid}/net/*/{,**} r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/net/{,**} r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 7f558a1c..989f2ee0 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -12,6 +12,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + @{exec_path} mr, @{lib}/netplan/generate rix, @@ -22,15 +24,25 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, - @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw, + @{run}/netplan/ r, + + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, + + @{run}/systemd/network/ r, + @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, @{run}/systemd/system/ r, @{run}/systemd/system/netplan-* rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, @{run}/systemd/system/systemd-networkd.service.wants/ rw, @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + @{run}/udev/rules.d/ r, - @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{sys}/devices/**/net/*/address r, profile udevadm { include diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 27a511dc..189afd74 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -11,6 +11,7 @@ profile nm-online @{exec_path} { include include include + include dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index a964ab95..43a9d0dc 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -9,10 +9,14 @@ include @{exec_path} = @{bin}/nmcli profile nmcli @{exec_path} { include + include + include capability dac_read_search, capability sys_nice, + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 05a21d41..14cbd3c8 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -22,6 +22,7 @@ profile ssh-keygen @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, /tmp/snapd@{int}/*_*{,.pub} w, + /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2f704fb3..b4ecc068 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -53,7 +53,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/sshd/system, + unix (bind) type=stream addr=@@{udbus}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 3cea03c9..6516a500 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -22,7 +22,7 @@ profile busctl @{exec_path} { ptrace (read), - unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl, + unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl, signal (send) set=(cont) peer=child-pager, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 91fc31b5..2429d235 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -10,6 +10,7 @@ include profile hostnamectl @{exec_path} { include include + include include capability net_admin, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index dee55195..a4bab2be 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -24,7 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system, + unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd # No label available diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 65feae3f..039f8dc6 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,7 +22,7 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, - unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system, #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index 9bfde3e6..33191171 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -19,7 +19,7 @@ profile systemd-cgls @{exec_path} { signal send set=cont peer=child-pager, - unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 5fe748ab..205012cd 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -35,6 +35,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> @{run}/, mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, + #aa:dbus own bus=system name=org.freedesktop.home1 @{exec_path} mr, @@ -61,6 +63,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/home/{,**} rw, @{run}/systemd/userdb/io.systemd.home r, @{run}/systemd/user-home-mount/{,**} rw, + @{run}/systemd/notify w, @{sys}/bus/ r, @{sys}/fs/ r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 46786c65..cd77b982 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -18,7 +18,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { network unix stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system, #aa:dbus own bus=system name=org.freedesktop.hostname1 diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 058c59db..205d8a55 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6b01f514..f7e0af83 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index f38564ae..3eaedfaa 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -27,7 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, #aa:dbus own bus=system name=org.freedesktop.network1 diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 91288866..d16c67f7 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index dd964f3b..e070afe4 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 9f9136bc..b603b241 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 8703709c..9d512b49 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} { network netlink raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 84dfb27e..9c7fe975 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -25,7 +25,7 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-user-ru/system, @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 36fae9ce..4ffaf60e 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -22,7 +22,7 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell @@ -87,7 +87,7 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index cbaac35b..9b32614a 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -32,7 +32,7 @@ profile login @{exec_path} flags=(attach_disconnected) { signal (send) set=(hup term), - unix type=stream addr=@@{hex16}/bus/login/system, + unix type=stream addr=@@{udbus}/bus/login/system, ptrace read, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 0a9e1dc3..5f391210 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -13,6 +13,8 @@ profile needrestart-apt-pinvoke @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5bf8fceb..7e63560e 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -21,7 +21,7 @@ profile qemu-ga @{exec_path} { ptrace (read) peer=@{p_systemd}, - unix type=stream addr=@@{hex16}/bus/shutdown/system, + unix type=stream addr=@@{udbus}/bus/shutdown/system, #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index d51c65d4..63a1568b 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -50,7 +50,7 @@ profile snapd @{exec_path} { ptrace (read) peer=snap, ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, + unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index ca9f66d2..1e674823 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -31,8 +31,6 @@ profile sudo @{exec_path} flags=(attach_disconnected) { signal (send) set=(winch) peer=pacman, signal (send) set=(winch, hup, term) peer=rpm, - unix bind type=stream addr=@@{hex16}/bus/sudo/system/, - @{bin}/@{shells} rUx, @{lib}/** PUx, /opt/*/** PUx, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 530373ef..9155adf8 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -113,9 +113,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+vmbus:* r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @@ -128,6 +130,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0dc81689..78bb73b0 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -122,6 +122,9 @@ # Dbus unique name @{busname}=:1.@{u16} :not.active.yet +# Unix dbus address prefix +@{udbus}=@{hex15} @{hex16} + # Universally unique identifier @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} diff --git a/docs/development/directives.md b/docs/development/directives.md index 53c7e7dc..841bc660 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -140,7 +140,7 @@ The `exec` directive is useful to allow executing transitions to a profile witho include capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 2fee7907..2ce62214 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -7,6 +7,7 @@ load common setup_file() { aa_setup + skip } # bats test_tags=homectl diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats index a54dda82..ef6a292d 100644 --- a/tests/bats/snap.bats +++ b/tests/bats/snap.bats @@ -7,7 +7,6 @@ load common setup_file() { aa_setup - skip } # bats test_tags=snap diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats index 3b18bd03..9a9def4d 100644 --- a/tests/bats/systemd-id128.bats +++ b/tests/bats/systemd-id128.bats @@ -27,12 +27,6 @@ setup_file() { aa_check } -# bats test_tags=systemd-id128 -@test "systemd-id128: Print the identifier of the current service invocation (this is available in systemd services)" { - systemd-id128 invocation-id - aa_check -} - # bats test_tags=systemd-id128 @test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { systemd-id128 new --uuid diff --git a/tests/requirements.sh b/tests/requirements.sh index 91adc003..c12f9249 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -19,7 +19,7 @@ arch) ;; debian | ubuntu | whonix) sudo apt-get install -y \ - cpuid dfc systemd-userdbd + cpuid dfc systemd-userdbd systemd-homed tlp ;; opensuse*) ;; From a1f5640024031c3a9e88d2c22a5ea97dfe78b615 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 19:34:04 +0000 Subject: [PATCH 34/64] ci(github): restart some services to ensure they are confined. --- .github/workflows/main.yml | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 59449cb4..89b0039a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,6 +15,7 @@ jobs: build: runs-on: ${{ matrix.os }} + needs: check strategy: matrix: os: @@ -93,19 +94,42 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support - bash tests/requirements.sh - name: Install apparmor.d run: | - sudo install -Dm0644 tests/github.local /etc/apparmor.d/tunables/global.d/github.local sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service + - name: Restart some services to ensure they are confined + run: | + services=( + containerd cron + dbus docker + ModemManager multipathd + networkd-dispatcher + packagekit polkit + snapd + systemd-journald systemd-hostnamed systemd-logind systemd-networkd + systemd-resolved systemd-udevd + udisks2 + ) + sudo systemctl daemon-reload + for service in "${services[@]}"; do + sudo systemctl restart "$service" || systemctl status "$service.service" || true + done + sudo ps auxZ | grep -v '\[.*\]' + sudo aa-log -s --raw + + - name: Install integration dependencies + run: | + bash tests/requirements.sh + - name: Run the bats integration tests run: | make bats - - name: Show final AppArmor logs + - name: Show final AppArmor logs and processes security context if: always() run: | sudo aa-log -s --raw + sudo ps auxZ | grep -v '\[.*\]' From 5bf8d362faea2edd18542f2b814bccea2eb40068 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 19:49:22 +0000 Subject: [PATCH 35/64] fix(profile): minor improvment to ensure tests passes. --- apparmor.d/groups/apt/apt | 4 +++- apparmor.d/groups/apt/apt-methods-file | 3 ++- apparmor.d/groups/apt/apt-methods-mirror | 1 + apparmor.d/groups/bus/dbus-system | 3 +++ apparmor.d/profiles-a-f/apparmor_parser | 1 + 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index eb94791d..369dd3bb 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -34,7 +34,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (bind) type=stream addr=@@{udbus}/bus/apt/system, + unix bind type=stream addr=@@{udbus}/bus/apt-get/system, + unix bind type=stream addr=@@{udbus}/bus/apt/system, + unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 6d3e9d40..3c2489a3 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -30,8 +30,9 @@ profile apt-methods-file @{exec_path} { @{lib}/apt/apt-helper rix, - /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt-mirrors.txt r, /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/mirrors/* r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 5acecd67..d8e3adce 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -28,6 +28,7 @@ profile apt-methods-mirror @{exec_path} { @{exec_path} mr, + /etc/apt/apt-mirrors.txt r, /etc/apt/mirrors/* r, # For shell pwd diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index e4eef275..a569a734 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -34,6 +34,9 @@ profile dbus-system flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} + dbus receive bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index b2c18104..19c0f690 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -45,6 +45,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit + deny /apparmor/.null rw, include if exists } From 3c0c68f28f926b8e5ee8c1b3bbdd583b2f462106 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 20:00:04 +0000 Subject: [PATCH 36/64] ci(github): split the final step in two. --- .github/workflows/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 89b0039a..c7a76f87 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -128,8 +128,12 @@ jobs: run: | make bats - - name: Show final AppArmor logs and processes security context + - name: Show final AppArmor logs if: always() run: | sudo aa-log -s --raw + + - name: Show final processes security context + if: always() + run: | sudo ps auxZ | grep -v '\[.*\]' From be627e5e9dc4f18c88248a5b35ece21783448106 Mon Sep 17 00:00:00 2001 From: odomingao Date: Mon, 18 Nov 2024 12:27:33 -0300 Subject: [PATCH 37/64] Update sysctl --- apparmor.d/profiles-s-z/sysctl | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 6dd12a02..849aeb68 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -15,6 +15,7 @@ profile sysctl @{exec_path} { capability net_admin, capability sys_admin, + capability sys_ptrace, capability sys_resource, @{exec_path} mr, From 206bc3473db09e151d083dcf7887cfa1d2c39ff8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 20:44:34 +0000 Subject: [PATCH 38/64] fix: missing @{udbus} in unix bind. --- apparmor.d/groups/systemd/hostnamectl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 2429d235..3107d2d8 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,7 +15,7 @@ profile hostnamectl @{exec_path} { capability net_admin, - unix bind type=stream addr=@@{hex16}/bus/hostnamectl/system, + unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system, #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed From 7b4e01217b8b46ae1f2170fb5bee68dbd4ee6bee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:13:25 +0000 Subject: [PATCH 39/64] tests: cleanup the basic structure of integration tests. --- Makefile | 2 +- tests/bats/aa-enforce.bats | 8 ------ tests/bats/aa-status.bats | 14 ---------- tests/bats/blkid.bats | 8 ------ tests/bats/chsh.bats | 9 ------ tests/bats/common.bash | 12 +++++++- tests/bats/cpuid.bats | 10 ------- tests/bats/df.bats | 14 ---------- tests/bats/dfc.bats | 12 -------- tests/bats/fc-cache.bats | 11 -------- tests/bats/fc-list.bats | 6 ---- tests/bats/flatpak.bats | 18 ------------ tests/bats/gpgconf.bats | 14 ---------- tests/bats/groupadd.bats | 12 -------- tests/bats/groups.bats | 8 ------ tests/bats/homectl.bats | 16 ----------- tests/bats/hostnamectl.bats | 7 ----- tests/bats/id.bats | 15 ---------- tests/bats/ip.bats | 43 +++++++++++++++-------------- tests/bats/lsblk.bats | 20 -------------- tests/bats/lscpu.bats | 10 ------- tests/bats/lspci.bats | 14 ---------- tests/bats/lsusb.bats | 10 ------- tests/bats/ps.bats | 16 ----------- tests/bats/pstree.bats | 10 ------- tests/bats/snap.bats | 18 ------------ tests/bats/sync.bats | 8 ------ tests/bats/systemd-ac-power.bats | 8 ------ tests/bats/systemd-analyze.bats | 11 +------- tests/bats/systemd-cat.bats | 8 ------ tests/bats/systemd-cgls.bats | 10 ------- tests/bats/systemd-detect-virt.bats | 9 +++--- tests/bats/systemd-id128.bats | 12 -------- tests/bats/systemd-sysusers.bats | 10 ------- tests/bats/uname.bats | 20 -------------- tests/bats/upower.bats | 10 ------- tests/bats/uptime.bats | 12 -------- tests/bats/useradd.bats | 17 ------------ tests/bats/userdbctl.bats | 14 ---------- tests/bats/users.bats | 8 ------ tests/bats/uuidd.bats | 11 -------- tests/bats/uuidgen.bats | 9 ------ tests/bats/w.bats | 8 ------ tests/bats/who.bats | 10 ------- tests/cmd/main.go | 7 ++++- tests/cmd/tests.go | 13 +++------ 46 files changed, 50 insertions(+), 502 deletions(-) diff --git a/Makefile b/Makefile index 68564911..b56d69c6 100644 --- a/Makefile +++ b/Makefile @@ -113,7 +113,7 @@ check: .PHONY: bats bats: - @bats --print-output-on-failure tests/bats/ + @bats --pretty --print-output-on-failure tests/bats/ .PHONY: manual manual: diff --git a/tests/bats/aa-enforce.bats b/tests/bats/aa-enforce.bats index 05f311ca..d6b549b1 100644 --- a/tests/bats/aa-enforce.bats +++ b/tests/bats/aa-enforce.bats @@ -10,26 +10,18 @@ setup_file() { skip } -# bats test_tags=aa-enforce @test "aa-enforce: Disable profile" { sudo aa-disable pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Enforce a profile" { sudo aa-enforce pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Complain a profile" { sudo aa-complain pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Audit a profile" { sudo aa-audit pass - aa_check } diff --git a/tests/bats/aa-status.bats b/tests/bats/aa-status.bats index 8adcd158..fbfb6667 100644 --- a/tests/bats/aa-status.bats +++ b/tests/bats/aa-status.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=aa-status @test "aa-status: Check status" { sudo aa-status - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded policies" { sudo aa-status --profiled - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded enforicing policies" { sudo aa-status --enforced - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded non-enforcing policies" { sudo aa-status --complaining - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded enforcing policies that kill tasks" { sudo aa-status --kill - aa_check } diff --git a/tests/bats/blkid.bats b/tests/bats/blkid.bats index 65160f18..6dcf4b4d 100644 --- a/tests/bats/blkid.bats +++ b/tests/bats/blkid.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=blkid @test "blkid: List all partitions" { sudo blkid - aa_check } -# bats test_tags=blkid @test "blkid: List all partitions in a table, including current mountpoints" { sudo blkid -o list - aa_check } diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index f66eb1f9..a9f5a697 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -5,24 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=chsh @test "chsh: [l]ist available shells" { chsh --list-shells || true - aa_check } -# bats test_tags=chsh @test "chsh: Set a specific login [s]hell for the current user" { echo "$PASSWORD" | chsh --shell /usr/bin/bash - aa_check } # bats test_tags=chsh @test "chsh: Set a login [s]hell for a specific user" { sudo chsh --shell /usr/bin/sh root - aa_check } diff --git a/tests/bats/common.bash b/tests/bats/common.bash index f99c3c19..556ef871 100644 --- a/tests/bats/common.bash +++ b/tests/bats/common.bash @@ -105,8 +105,18 @@ aa_check() { now=$(date +%s) duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") + aa_start if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" fi - aa_start +} + +# Bats setup and teardown hooks + +setup_file() { + aa_setup +} + +teardown() { + aa_check } diff --git a/tests/bats/cpuid.bats b/tests/bats/cpuid.bats index 1b1226e2..0fe2da6a 100644 --- a/tests/bats/cpuid.bats +++ b/tests/bats/cpuid.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=cpuid @test "cpuid: Display information for all CPUs" { cpuid - aa_check } -# bats test_tags=cpuid @test "cpuid: Display information only for the current CPU" { cpuid -1 - aa_check } -# bats test_tags=cpuid @test "cpuid: Display raw hex information with no decoding" { cpuid -r - aa_check } diff --git a/tests/bats/df.bats b/tests/bats/df.bats index ea9d3f44..a97ad53c 100644 --- a/tests/bats/df.bats +++ b/tests/bats/df.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=df @test "df: Display all filesystems and their disk usage" { df - aa_check } -# bats test_tags=df @test "df: Display all filesystems and their disk usage in human-readable form" { df -h - aa_check } -# bats test_tags=df @test "df: Display the filesystem and its disk usage containing the given file or directory" { df apparmor.d/ - aa_check } -# bats test_tags=df @test "df: Include statistics on the number of free inodes" { df --inodes - aa_check } -# bats test_tags=df @test "df: Display filesystem types" { df --print-type - aa_check } diff --git a/tests/bats/dfc.bats b/tests/bats/dfc.bats index 8a1d1891..56871f16 100644 --- a/tests/bats/dfc.bats +++ b/tests/bats/dfc.bats @@ -5,30 +5,18 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=dfc @test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { dfc - aa_check } -# bats test_tags=dfc @test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { dfc -a - aa_check } -# bats test_tags=dfc @test "dfc: Display filesystems without color" { dfc -c never - aa_check } -# bats test_tags=dfc @test "dfc: Display filesystems containing "ext" in the filesystem type" { dfc -t ext - aa_check } diff --git a/tests/bats/fc-cache.bats b/tests/bats/fc-cache.bats index 7ad92d94..05b8f193 100644 --- a/tests/bats/fc-cache.bats +++ b/tests/bats/fc-cache.bats @@ -5,25 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=fc-cache @test "fc-cache: Generate font cache files" { fc-cache - aa_check } -# bats test_tags=fc-cache @test "fc-cache: Force a rebuild of all font cache files, without checking if cache is up-to-date" { fc-cache -f - aa_check } -# bats test_tags=fc-cache @test "fc-cache: Erase font cache files, then generate new font cache files" { fc-cache -r - aa_check } - diff --git a/tests/bats/fc-list.bats b/tests/bats/fc-list.bats index b85b1037..52ed4388 100644 --- a/tests/bats/fc-list.bats +++ b/tests/bats/fc-list.bats @@ -5,12 +5,6 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=fc-list @test "fc-list: Return a list of installed fonts in your system" { fc-list - aa_check } diff --git a/tests/bats/flatpak.bats b/tests/bats/flatpak.bats index 23647c93..e549e01a 100644 --- a/tests/bats/flatpak.bats +++ b/tests/bats/flatpak.bats @@ -5,48 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=flatpak @test "flatpak: List installed applications, ignoring runtimes" { flatpak list --app - aa_check } -# bats test_tags=flatpak @test "flatpak: Install an application from a remote source" { flatpak install --noninteractive org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Show information about an installed application" { flatpak info org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Run an installed application" { flatpak run org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Update all installed applications and runtimes" { flatpak update --noninteractive - aa_check } -# bats test_tags=flatpak @test "flatpak: Remove an installed application" { flatpak remove --noninteractive org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Remove all unused applications" { flatpak remove --unused - aa_check } diff --git a/tests/bats/gpgconf.bats b/tests/bats/gpgconf.bats index 7d522d85..7155c5aa 100644 --- a/tests/bats/gpgconf.bats +++ b/tests/bats/gpgconf.bats @@ -5,44 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=gpgconf @test "gpgconf: List all components" { gpgconf --list-components - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List the directories used by gpgconf" { gpgconf --list-dirs - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List all options of a component" { gpgconf --list-options gpg gpgconf --list-options gpgsm gpgconf --list-options gpg-agent gpgconf --list-options scdaemon || true gpgconf --list-options dirmngr - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List programs and test whether they are runnable" { gpgconf --check-programs || true - aa_check } -# bats test_tags=gpgconf @test "gpgconf: Reload a component" { gpgconf --reload gpg gpgconf --reload gpgsm gpgconf --reload gpg-agent gpgconf --reload scdaemon || true gpgconf --reload dirmngr - aa_check } diff --git a/tests/bats/groupadd.bats b/tests/bats/groupadd.bats index f5557959..cbc0aa57 100644 --- a/tests/bats/groupadd.bats +++ b/tests/bats/groupadd.bats @@ -5,32 +5,20 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=groupadd @test "groupadd: Create a new group" { sudo groupadd user2 - aa_check } -# bats test_tags=groupadd @test "groupadd: Create a new system group" { sudo groupadd --system system2 - aa_check } -# bats test_tags=groupadd @test "groupadd: Create a new group with the specific groupid" { sudo groupadd --gid 3000 user3 - aa_check } -# bats test_tags=groupadd @test "groupdel: Delete newly created group" { sudo groupdel user2 sudo groupdel system2 sudo groupdel user3 - aa_check } diff --git a/tests/bats/groups.bats b/tests/bats/groups.bats index 829e2393..60bf6ea4 100644 --- a/tests/bats/groups.bats +++ b/tests/bats/groups.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=groups @test "groups: Print group memberships for the current user" { groups - aa_check } -# bats test_tags=groups @test "groups: Print group memberships for a list of users" { groups root - aa_check } diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 2ce62214..32ff3e57 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -10,50 +10,34 @@ setup_file() { skip } -# bats test_tags=homectl @test "homectl: Display help" { homectl --no-pager --help - aa_check } -# bats test_tags=homectl @test "homectl: Create a user account and their associated home directory" { sudo homectl create user2 - aa_check } -# bats test_tags=homectl @test "homectl: List user accounts and their associated home directories" { homectl list - aa_check } -# bats test_tags=homectl @test "homectl: Change the password for a specific user" { sudo homectl passwd user2 - aa_check } -# bats test_tags=homectl @test "homectl: Run a shell or a command with access to a specific home directory" { sudo homectl with user2 -- ls -al /home/user2 - aa_check } -# bats test_tags=homectl @test "homectl: Lock or unlock a specific home directory" { sudo homectl lock user2 - aa_check } -# bats test_tags=homectl @test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { sudo homectl resize user2 1G - aa_check } -# bats test_tags=homectl @test "homectl: Remove a specific user and the associated home directory" { sudo homectl remove user2 - aa_check } diff --git a/tests/bats/hostnamectl.bats b/tests/bats/hostnamectl.bats index dd410257..2c15658a 100644 --- a/tests/bats/hostnamectl.bats +++ b/tests/bats/hostnamectl.bats @@ -5,21 +5,14 @@ load common -setup() { - aa_setup -} - -# bats test_tags=hostnamectl @test "hostnamectl: Get the hostname of the computer" { hostnamectl } -# bats test_tags=hostnamectl @test "hostnamectl: Get the location of the computer" { hostnamectl location } -# bats test_tags=hostnamectl @test "hostnamectl: Set the hostname of the computer" { name=$(hostnamectl hostname) sudo hostnamectl set-hostname "new" diff --git a/tests/bats/id.bats b/tests/bats/id.bats index 5a7b58c5..a09def4a 100644 --- a/tests/bats/id.bats +++ b/tests/bats/id.bats @@ -5,41 +5,26 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=id @test "id: Display current user's ID (UID), group ID (GID) and groups to which they belong" { id - aa_check } -# bats test_tags=id @test "id: Display the current user identity" { id -un - aa_check } -# bats test_tags=id @test "id: Display the current user identity as a number" { id -u - aa_check } -# bats test_tags=id @test "id: Display the current primary group identity" { id -gn - aa_check } -# bats test_tags=id @test "id: Display the current primary group identity as a number" { id -g - aa_check } -# bats test_tags=id @test "id: Display an arbitrary user ID (UID), group ID (GID) and groups to which they belong" { id root } diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 47f16ccd..6d5508c8 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -5,41 +5,42 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=ip -@test "ip: List interfaces with detailed info" { +@test "ip-address: List network interfaces and their associated IP addresses" { ip address - aa_check } -# bats test_tags=ip -@test "ip: List interfaces with brief link layer info" { - ip link - aa_check +@test "ip-address: Filter to show only active network interfaces" { + ip address show up } -# bats test_tags=ip -@test "ip: Display the routing table" { +@test "ip-route: Display the routing table" { ip route - aa_check } -# bats test_tags=ip -@test "ip: Show neighbors (ARP table)" { +@test "ip-route-get: Print route to a destination" { + ip route get 1.1.1.1 +} + +@test "ip link: Show information about all network interfaces" { + ip link +} + +@test "ip neighbour: Display the neighbour/ARP table entries" { ip neighbour - aa_check } -# bats test_tags=ip +@test "ip rule: Display the routing policy" { + ip rule show + ip rule list +} + +@test "ip rule: Flush all deleted rules" { + ip rule flush +} + @test "ip: Manage network namespace" { sudo ip netns add foo sudo ip netns list sudo ip netns exec foo bash -c "pwd" sudo ip netns delete foo - aa_check } - - diff --git a/tests/bats/lsblk.bats b/tests/bats/lsblk.bats index 4fecf42a..4dc3e20b 100644 --- a/tests/bats/lsblk.bats +++ b/tests/bats/lsblk.bats @@ -5,54 +5,34 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lsblk @test "lsblk: List all storage devices in a tree-like format" { lsblk - aa_check } -# bats test_tags=lsblk @test "lsblk: Also list empty devices" { lsblk -a - aa_check } -# bats test_tags=lsblk @test "lsblk: Print the SIZE column in bytes rather than in a human-readable format" { lsblk -b - aa_check } -# bats test_tags=lsblk @test "lsblk: Output info about filesystems" { lsblk -f - aa_check } -# bats test_tags=lsblk @test "lsblk: Use ASCII characters for tree formatting" { lsblk -i - aa_check } -# bats test_tags=lsblk @test "lsblk: Output info about block-device topology" { lsblk -t - aa_check } -# bats test_tags=lsblk @test "lsblk: Exclude the devices specified by the comma-separated list of major device numbers" { lsblk -e 1 - aa_check } -# bats test_tags=lsblk @test "lsblk: Display a customized summary using a comma-separated list of columns" { lsblk --output NAME,SERIAL,MODEL,TRAN,TYPE,SIZE,FSTYPE,MOUNTPOINT - aa_check } diff --git a/tests/bats/lscpu.bats b/tests/bats/lscpu.bats index ef09cfbb..d0959906 100644 --- a/tests/bats/lscpu.bats +++ b/tests/bats/lscpu.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lscpu @test "lscpu: Display information about all CPUs" { lscpu - aa_check } -# bats test_tags=lscpu @test "lscpu: Display information in a table" { lscpu --extended - aa_check } -# bats test_tags=lscpu @test "lscpu: Display only information about offline CPUs in a table" { lscpu --extended --offline - aa_check } diff --git a/tests/bats/lspci.bats b/tests/bats/lspci.bats index bc6ea201..02190660 100644 --- a/tests/bats/lspci.bats +++ b/tests/bats/lspci.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lspci @test "lspci: Show a brief list of devices" { lspci - aa_check } -# bats test_tags=lspci @test "lspci: Display additional info" { lspci -v - aa_check } -# bats test_tags=lspci @test "lspci: Display drivers and modules handling each device" { lspci -k - aa_check } -# bats test_tags=lspci @test "lspci: Show a specific device" { lspci -s 00:00.0 - aa_check } -# bats test_tags=lspci @test "lspci: Dump info in a readable form" { lspci -vm - aa_check } diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats index 8f646d89..f5444fce 100644 --- a/tests/bats/lsusb.bats +++ b/tests/bats/lsusb.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lsusb @test "lsusb: List all the USB devices available" { lsusb || true - aa_check } -# bats test_tags=lsusb @test "lsusb: List the USB hierarchy as a tree" { lsusb -t || true - aa_check } -# bats test_tags=lsusb @test "lsusb: List verbose information about USB devices" { lsusb --verbose || true - aa_check } diff --git a/tests/bats/ps.bats b/tests/bats/ps.bats index 4be301f7..bcdfbe1b 100644 --- a/tests/bats/ps.bats +++ b/tests/bats/ps.bats @@ -5,42 +5,26 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=ps @test "ps: List all running processes" { ps aux - aa_check } -# bats test_tags=ps @test "ps: List all running processes including the full command string" { ps auxww - aa_check } -# bats test_tags=ps @test "ps: List all processes of the current user in extra full format" { ps --user "$(id -u)" -F - aa_check } -# bats test_tags=ps @test "ps: List all processes of the current user as a tree" { ps --user "$(id -u)" -f - aa_check } -# bats test_tags=ps @test "ps: Get the parent PID of a process" { ps -o ppid= -p 1 - aa_check } -# bats test_tags=ps @test "ps: Sort processes by memory consumption" { ps auxww --sort size - aa_check } diff --git a/tests/bats/pstree.bats b/tests/bats/pstree.bats index e3ed5fa8..23094478 100644 --- a/tests/bats/pstree.bats +++ b/tests/bats/pstree.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=pstree @test "pstree: Display a tree of processes" { pstree - aa_check } -# bats test_tags=pstree @test "pstree: Display a tree of processes with PIDs" { pstree -p - aa_check } -# bats test_tags=pstree @test "pstree: Display all process trees rooted at processes owned by specified user" { pstree root - aa_check } diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats index ef6a292d..1eff200a 100644 --- a/tests/bats/snap.bats +++ b/tests/bats/snap.bats @@ -5,48 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=snap @test "snap: Search for a package" { snap find vim - aa_check } -# bats test_tags=snap @test "snap: Install a package" { sudo snap install nano-strict - aa_check } -# bats test_tags=snap @test "snap: Update a package to another channel (track, risk, or branch)" { sudo snap refresh nano-strict --channel=edge - aa_check } -# bats test_tags=snap @test "snap: Update all packages" { sudo snap refresh - aa_check } -# bats test_tags=snap @test "snap: Display basic information about installed snap software" { sudo snap list - aa_check } -# bats test_tags=snap @test "snap: Check for recent snap changes in the system" { sudo snap changes - aa_check } -# bats test_tags=snap @test "snap: Uninstall a package" { sudo snap remove nano-strict - aa_check } diff --git a/tests/bats/sync.bats b/tests/bats/sync.bats index fba657ff..9f2e2688 100644 --- a/tests/bats/sync.bats +++ b/tests/bats/sync.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=sync @test "sync: Flush all pending write operations on all disks" { sync - aa_check } -# bats test_tags=sync @test "sync: Flush all pending write operations on a single file to disk" { sudo sync / - aa_check } diff --git a/tests/bats/systemd-ac-power.bats b/tests/bats/systemd-ac-power.bats index 78f68d13..30019825 100644 --- a/tests/bats/systemd-ac-power.bats +++ b/tests/bats/systemd-ac-power.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-ac-power @test "systemd-ac-power: Report whether we are connected to an external power source." { systemd-ac-power || true - aa_check } -# bats test_tags=systemd-ac-power @test "systemd-ac-power: Check if battery is discharging and low" { systemd-ac-power --low || true - aa_check } diff --git a/tests/bats/systemd-analyze.bats b/tests/bats/systemd-analyze.bats index 3f6144a7..6bb275bb 100644 --- a/tests/bats/systemd-analyze.bats +++ b/tests/bats/systemd-analyze.bats @@ -5,25 +5,16 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-analyze @test "systemd-analyze: List all running units, ordered by the time they took to initialize" { systemd-analyze --no-pager blame - aa_check } -# bats test_tags=systemd-analyze @test "systemd-analyze: Print a tree of the time-critical chain of units" { systemd-analyze --no-pager critical-chain - aa_check } -# bats test_tags=systemd-analyze @test "systemd-analyze: Show security scores of running units" { systemd-analyze --no-pager security - aa_check } + diff --git a/tests/bats/systemd-cat.bats b/tests/bats/systemd-cat.bats index 595a6002..da634982 100644 --- a/tests/bats/systemd-cat.bats +++ b/tests/bats/systemd-cat.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-cat @test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { systemd-cat pwd - aa_check } -# bats test_tags=systemd-cat @test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { echo apparmor.d-test-suite | systemd-cat - aa_check } diff --git a/tests/bats/systemd-cgls.bats b/tests/bats/systemd-cgls.bats index b5bb89de..dca00b62 100644 --- a/tests/bats/systemd-cgls.bats +++ b/tests/bats/systemd-cgls.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-cgls @test "systemd-cgls: Display the whole control group hierarchy on your system" { systemd-cgls --no-pager - aa_check } -# bats test_tags=systemd-cgls @test "systemd-cgls: Display a control group tree of a specific resource controller" { systemd-cgls --no-pager io - aa_check } -# bats test_tags=systemd-cgls @test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { systemd-cgls --no-pager --unit systemd-logind - aa_check } diff --git a/tests/bats/systemd-detect-virt.bats b/tests/bats/systemd-detect-virt.bats index 0ea5fae3..41150ef7 100644 --- a/tests/bats/systemd-detect-virt.bats +++ b/tests/bats/systemd-detect-virt.bats @@ -3,23 +3,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# bats test_tags=systemd-detect-virt +load common + @test "systemd-detect-virt: List detectable virtualization technologies" { systemd-detect-virt --list } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { - systemd-detect-virt + systemd-detect-virt || true } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Silently check without printing anything" { - systemd-detect-virt --quiet + systemd-detect-virt --quiet || true } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Only detect hardware virtualization" { - systemd-detect-virt --vm + systemd-detect-virt --vm || true } diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats index 9a9def4d..67bf5907 100644 --- a/tests/bats/systemd-id128.bats +++ b/tests/bats/systemd-id128.bats @@ -5,31 +5,19 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-id128 @test "systemd-id128: Generate a new random identifier" { systemd-id128 new - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Print the identifier of the current machine" { systemd-id128 machine-id - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Print the identifier of the current boot" { systemd-id128 boot-id - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { systemd-id128 new --uuid - aa_check } diff --git a/tests/bats/systemd-sysusers.bats b/tests/bats/systemd-sysusers.bats index f4230d6b..0816fd45 100644 --- a/tests/bats/systemd-sysusers.bats +++ b/tests/bats/systemd-sysusers.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { systemd-sysusers --cat-config - aa_check } -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { systemd-sysusers --dry-run - aa_check } -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Create users and groups from all configuration file" { sudo systemd-sysusers - aa_check } diff --git a/tests/bats/uname.bats b/tests/bats/uname.bats index 683cef11..8723b9fe 100644 --- a/tests/bats/uname.bats +++ b/tests/bats/uname.bats @@ -5,55 +5,35 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uname @test "uname: Print all information" { uname --all - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel name" { uname --kernel-name - aa_check } -# bats test_tags=uname @test "uname: Print the current network node host name" { uname --nodename - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel release" { uname --kernel-release - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel version" { uname --kernel-version - aa_check } -# bats test_tags=uname @test "uname: Print the current machine hardware name" { uname --machine - aa_check } -# bats test_tags=uname @test "uname: Print the current processor type" { uname --processor - aa_check } -# bats test_tags=uname @test "uname: Print the current operating system name" { uname --operating-system - aa_check } diff --git a/tests/bats/upower.bats b/tests/bats/upower.bats index 73afc18e..3917621b 100644 --- a/tests/bats/upower.bats +++ b/tests/bats/upower.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=upower @test "upower: Display power and battery information" { upower --dump - aa_check } -# bats test_tags=upower @test "upower: List all power devices" { upower --enumerate - aa_check } -# bats test_tags=upower @test "upower: Display version" { upower --version - aa_check } diff --git a/tests/bats/uptime.bats b/tests/bats/uptime.bats index 846342f4..7b64e8d2 100644 --- a/tests/bats/uptime.bats +++ b/tests/bats/uptime.bats @@ -5,31 +5,19 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uptime @test "uptime: Print current time, uptime, number of logged-in users and other information" { uptime - aa_check } -# bats test_tags=uptime @test "uptime: Show only the amount of time the system has been booted for" { uptime --pretty - aa_check } -# bats test_tags=uptime @test "uptime: Print the date and time the system booted up at" { uptime --since - aa_check } -# bats test_tags=uptime @test "uptime: Display version" { uptime --version - aa_check } diff --git a/tests/bats/useradd.bats b/tests/bats/useradd.bats index 833e0160..5ac024f1 100644 --- a/tests/bats/useradd.bats +++ b/tests/bats/useradd.bats @@ -5,45 +5,28 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=useradd @test "useradd: Create a new user with the specified shell" { sudo useradd --shell /bin/bash --create-home user2 - aa_check } -# bats test_tags=useradd @test "useradd: Create a new user with the specified user ID" { sudo useradd --uid 3000 user3 - aa_check } -# bats test_tags=useradd @test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { sudo useradd --groups adm user4 - aa_check } - -# bats test_tags=useradd @test "useradd: Create a new system user without the home directory" { sudo useradd --system sys2 - aa_check } -# bats test_tags=userdel @test "userdel: Remove a user" { sudo userdel user3 sudo userdel user4 sudo userdel sys2 - aa_check } -# bats test_tags=userdel @test "userdel: Remove a user along with the home directory and mail spool" { sudo userdel --remove user2 - aa_check } diff --git a/tests/bats/userdbctl.bats b/tests/bats/userdbctl.bats index 6169de44..065dba5f 100644 --- a/tests/bats/userdbctl.bats +++ b/tests/bats/userdbctl.bats @@ -5,37 +5,23 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=userdbctl @test "userdbctl: List all known user records" { userdbctl --no-pager user - aa_check } -# bats test_tags=userdbctl @test "userdbctl: Show details of a specific user" { userdbctl --no-pager user "$USER" - aa_check } -# bats test_tags=userdbctl @test "userdbctl: List all known groups" { userdbctl --no-pager group - aa_check } -# bats test_tags=userdbctl @test "userdbctl: Show details of a specific group" { sudo userdbctl --no-pager group "$USER" - aa_check } -# bats test_tags=userdbctl @test "userdbctl: List all services currently providing user/group definitions to the system" { userdbctl --no-pager services - aa_check } diff --git a/tests/bats/users.bats b/tests/bats/users.bats index 097870ab..8f8ad383 100644 --- a/tests/bats/users.bats +++ b/tests/bats/users.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=users @test "users: Print logged in usernames" { users - aa_check } -# bats test_tags=users @test "users: Print logged in usernames according to a given file" { users /var/log/wmtp - aa_check } diff --git a/tests/bats/uuidd.bats b/tests/bats/uuidd.bats index e13653e3..9e3ac5ef 100644 --- a/tests/bats/uuidd.bats +++ b/tests/bats/uuidd.bats @@ -5,25 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uuidd @test "uuidd: Generate a random UUID" { uuidd --random - aa_check } -# bats test_tags=uuidd @test "uuidd: Generate a bulk number of random UUIDs" { uuidd --random --uuids 10 - aa_check } -# bats test_tags=uuidd @test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { uuidd --time - aa_check } - diff --git a/tests/bats/uuidgen.bats b/tests/bats/uuidgen.bats index 8caa4186..eb6465c0 100644 --- a/tests/bats/uuidgen.bats +++ b/tests/bats/uuidgen.bats @@ -5,19 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uuidgen @test "uuidgen: Create a random UUIDv4" { uuidgen --random - aa_check } -# bats test_tags=uuidgen @test "uuidgen: Create a UUIDv1 based on the current time" { uuidgen --time - aa_check } - diff --git a/tests/bats/w.bats b/tests/bats/w.bats index 7f358aac..1b97ba44 100644 --- a/tests/bats/w.bats +++ b/tests/bats/w.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=w @test "w: Display information about all users who are currently logged in" { w - aa_check } -# bats test_tags=w @test "w: Display information about a specific user" { w root - aa_check } diff --git a/tests/bats/who.bats b/tests/bats/who.bats index f8aaf5a1..c05995d0 100644 --- a/tests/bats/who.bats +++ b/tests/bats/who.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=who @test "who: Display the username, line, and time of all currently logged-in sessions" { who - aa_check } -# bats test_tags=who @test "who: Display all available information" { who -a - aa_check } -# bats test_tags=who @test "who: Display all available information with table headers" { who -a -H - aa_check } diff --git a/tests/cmd/main.go b/tests/cmd/main.go index 5ca94819..eb88de1e 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -68,7 +68,6 @@ func run() error { if err != nil { return err } - tests = tests.Filter() if err := cfg.BatsDir.RemoveAll(); err != nil { return err @@ -76,6 +75,12 @@ func run() error { if err := cfg.BatsDir.MkdirAll(); err != nil { return err } + if err := cfg.BatsDir.Join("profiled").MkdirAll(); err != nil { + return err + } + if err := cfg.BatsDir.Join("unprofiled").MkdirAll(); err != nil { + return err + } for _, test := range tests { if err := test.Write(cfg.BatsDir); err != nil { return err diff --git a/tests/cmd/tests.go b/tests/cmd/tests.go index 2d37324e..1c5f55ae 100644 --- a/tests/cmd/tests.go +++ b/tests/cmd/tests.go @@ -20,16 +20,10 @@ const tmplTest = `#!/usr/bin/env bats # SPDX-License-Identifier: GPL-2.0-only load common - -setup_file() { - aa_setup -} {{ $name := .Name -}} {{ range .Commands }} -# bats test_tags={{ $name }} @test "{{ $name }}: {{ .Description }}" { {{ .Cmd }} - aa_check } {{ end }} ` @@ -77,13 +71,14 @@ func (t Test) IsInstalled() bool { } func (t Test) Write(dir *paths.Path) error { + dstDir := dir.Join("profiled") if !t.HasProfile() { - return nil + dstDir = dir.Join("unprofiled") } + path := dstDir.Join(t.Name + ".bats") - path := dir.Join(t.Name + ".bats") if paths.New("tests/bats").Join(t.Name + ".bats").Exist() { - path = dir.Join("00." + t.Name + ".bats") + path = dstDir.Join("00." + t.Name + ".bats") } content := renderBatsFile(t) if err := path.WriteFile([]byte(content)); err != nil { From 5c70c50c26d358f74862f7b0a5460e40e0b596d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:27:04 +0000 Subject: [PATCH 40/64] tests: cleanup the basic structure of integration tests. --- tests/bats/aa-enforce.bats | 8 ------ tests/bats/aa-status.bats | 14 ---------- tests/bats/blkid.bats | 8 ------ tests/bats/chsh.bats | 9 ------ tests/bats/common.bash | 12 +++++++- tests/bats/cpuid.bats | 10 ------- tests/bats/df.bats | 14 ---------- tests/bats/dfc.bats | 12 -------- tests/bats/fc-cache.bats | 11 -------- tests/bats/fc-list.bats | 6 ---- tests/bats/flatpak.bats | 18 ------------ tests/bats/gpgconf.bats | 14 ---------- tests/bats/groupadd.bats | 12 -------- tests/bats/groups.bats | 8 ------ tests/bats/homectl.bats | 16 ----------- tests/bats/hostnamectl.bats | 7 ----- tests/bats/id.bats | 15 ---------- tests/bats/ip.bats | 43 +++++++++++++++-------------- tests/bats/lsblk.bats | 20 -------------- tests/bats/lscpu.bats | 10 ------- tests/bats/lspci.bats | 14 ---------- tests/bats/lsusb.bats | 10 ------- tests/bats/ps.bats | 16 ----------- tests/bats/pstree.bats | 10 ------- tests/bats/snap.bats | 18 ------------ tests/bats/sync.bats | 8 ------ tests/bats/systemd-ac-power.bats | 8 ------ tests/bats/systemd-analyze.bats | 11 +------- tests/bats/systemd-cat.bats | 8 ------ tests/bats/systemd-cgls.bats | 10 ------- tests/bats/systemd-detect-virt.bats | 9 +++--- tests/bats/systemd-id128.bats | 12 -------- tests/bats/systemd-sysusers.bats | 10 ------- tests/bats/uname.bats | 20 -------------- tests/bats/upower.bats | 10 ------- tests/bats/uptime.bats | 12 -------- tests/bats/useradd.bats | 17 ------------ tests/bats/userdbctl.bats | 14 ---------- tests/bats/users.bats | 8 ------ tests/bats/uuidd.bats | 11 -------- tests/bats/uuidgen.bats | 9 ------ tests/bats/w.bats | 8 ------ tests/bats/who.bats | 10 ------- tests/cmd/main.go | 7 ++++- tests/cmd/tests.go | 13 +++------ 45 files changed, 49 insertions(+), 501 deletions(-) diff --git a/tests/bats/aa-enforce.bats b/tests/bats/aa-enforce.bats index 05f311ca..d6b549b1 100644 --- a/tests/bats/aa-enforce.bats +++ b/tests/bats/aa-enforce.bats @@ -10,26 +10,18 @@ setup_file() { skip } -# bats test_tags=aa-enforce @test "aa-enforce: Disable profile" { sudo aa-disable pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Enforce a profile" { sudo aa-enforce pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Complain a profile" { sudo aa-complain pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Audit a profile" { sudo aa-audit pass - aa_check } diff --git a/tests/bats/aa-status.bats b/tests/bats/aa-status.bats index 8adcd158..fbfb6667 100644 --- a/tests/bats/aa-status.bats +++ b/tests/bats/aa-status.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=aa-status @test "aa-status: Check status" { sudo aa-status - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded policies" { sudo aa-status --profiled - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded enforicing policies" { sudo aa-status --enforced - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded non-enforcing policies" { sudo aa-status --complaining - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded enforcing policies that kill tasks" { sudo aa-status --kill - aa_check } diff --git a/tests/bats/blkid.bats b/tests/bats/blkid.bats index 65160f18..6dcf4b4d 100644 --- a/tests/bats/blkid.bats +++ b/tests/bats/blkid.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=blkid @test "blkid: List all partitions" { sudo blkid - aa_check } -# bats test_tags=blkid @test "blkid: List all partitions in a table, including current mountpoints" { sudo blkid -o list - aa_check } diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index f66eb1f9..a9f5a697 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -5,24 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=chsh @test "chsh: [l]ist available shells" { chsh --list-shells || true - aa_check } -# bats test_tags=chsh @test "chsh: Set a specific login [s]hell for the current user" { echo "$PASSWORD" | chsh --shell /usr/bin/bash - aa_check } # bats test_tags=chsh @test "chsh: Set a login [s]hell for a specific user" { sudo chsh --shell /usr/bin/sh root - aa_check } diff --git a/tests/bats/common.bash b/tests/bats/common.bash index f99c3c19..556ef871 100644 --- a/tests/bats/common.bash +++ b/tests/bats/common.bash @@ -105,8 +105,18 @@ aa_check() { now=$(date +%s) duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") + aa_start if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" fi - aa_start +} + +# Bats setup and teardown hooks + +setup_file() { + aa_setup +} + +teardown() { + aa_check } diff --git a/tests/bats/cpuid.bats b/tests/bats/cpuid.bats index 1b1226e2..0fe2da6a 100644 --- a/tests/bats/cpuid.bats +++ b/tests/bats/cpuid.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=cpuid @test "cpuid: Display information for all CPUs" { cpuid - aa_check } -# bats test_tags=cpuid @test "cpuid: Display information only for the current CPU" { cpuid -1 - aa_check } -# bats test_tags=cpuid @test "cpuid: Display raw hex information with no decoding" { cpuid -r - aa_check } diff --git a/tests/bats/df.bats b/tests/bats/df.bats index ea9d3f44..a97ad53c 100644 --- a/tests/bats/df.bats +++ b/tests/bats/df.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=df @test "df: Display all filesystems and their disk usage" { df - aa_check } -# bats test_tags=df @test "df: Display all filesystems and their disk usage in human-readable form" { df -h - aa_check } -# bats test_tags=df @test "df: Display the filesystem and its disk usage containing the given file or directory" { df apparmor.d/ - aa_check } -# bats test_tags=df @test "df: Include statistics on the number of free inodes" { df --inodes - aa_check } -# bats test_tags=df @test "df: Display filesystem types" { df --print-type - aa_check } diff --git a/tests/bats/dfc.bats b/tests/bats/dfc.bats index 8a1d1891..56871f16 100644 --- a/tests/bats/dfc.bats +++ b/tests/bats/dfc.bats @@ -5,30 +5,18 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=dfc @test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { dfc - aa_check } -# bats test_tags=dfc @test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { dfc -a - aa_check } -# bats test_tags=dfc @test "dfc: Display filesystems without color" { dfc -c never - aa_check } -# bats test_tags=dfc @test "dfc: Display filesystems containing "ext" in the filesystem type" { dfc -t ext - aa_check } diff --git a/tests/bats/fc-cache.bats b/tests/bats/fc-cache.bats index 7ad92d94..05b8f193 100644 --- a/tests/bats/fc-cache.bats +++ b/tests/bats/fc-cache.bats @@ -5,25 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=fc-cache @test "fc-cache: Generate font cache files" { fc-cache - aa_check } -# bats test_tags=fc-cache @test "fc-cache: Force a rebuild of all font cache files, without checking if cache is up-to-date" { fc-cache -f - aa_check } -# bats test_tags=fc-cache @test "fc-cache: Erase font cache files, then generate new font cache files" { fc-cache -r - aa_check } - diff --git a/tests/bats/fc-list.bats b/tests/bats/fc-list.bats index b85b1037..52ed4388 100644 --- a/tests/bats/fc-list.bats +++ b/tests/bats/fc-list.bats @@ -5,12 +5,6 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=fc-list @test "fc-list: Return a list of installed fonts in your system" { fc-list - aa_check } diff --git a/tests/bats/flatpak.bats b/tests/bats/flatpak.bats index 23647c93..e549e01a 100644 --- a/tests/bats/flatpak.bats +++ b/tests/bats/flatpak.bats @@ -5,48 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=flatpak @test "flatpak: List installed applications, ignoring runtimes" { flatpak list --app - aa_check } -# bats test_tags=flatpak @test "flatpak: Install an application from a remote source" { flatpak install --noninteractive org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Show information about an installed application" { flatpak info org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Run an installed application" { flatpak run org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Update all installed applications and runtimes" { flatpak update --noninteractive - aa_check } -# bats test_tags=flatpak @test "flatpak: Remove an installed application" { flatpak remove --noninteractive org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Remove all unused applications" { flatpak remove --unused - aa_check } diff --git a/tests/bats/gpgconf.bats b/tests/bats/gpgconf.bats index 7d522d85..7155c5aa 100644 --- a/tests/bats/gpgconf.bats +++ b/tests/bats/gpgconf.bats @@ -5,44 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=gpgconf @test "gpgconf: List all components" { gpgconf --list-components - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List the directories used by gpgconf" { gpgconf --list-dirs - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List all options of a component" { gpgconf --list-options gpg gpgconf --list-options gpgsm gpgconf --list-options gpg-agent gpgconf --list-options scdaemon || true gpgconf --list-options dirmngr - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List programs and test whether they are runnable" { gpgconf --check-programs || true - aa_check } -# bats test_tags=gpgconf @test "gpgconf: Reload a component" { gpgconf --reload gpg gpgconf --reload gpgsm gpgconf --reload gpg-agent gpgconf --reload scdaemon || true gpgconf --reload dirmngr - aa_check } diff --git a/tests/bats/groupadd.bats b/tests/bats/groupadd.bats index f5557959..cbc0aa57 100644 --- a/tests/bats/groupadd.bats +++ b/tests/bats/groupadd.bats @@ -5,32 +5,20 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=groupadd @test "groupadd: Create a new group" { sudo groupadd user2 - aa_check } -# bats test_tags=groupadd @test "groupadd: Create a new system group" { sudo groupadd --system system2 - aa_check } -# bats test_tags=groupadd @test "groupadd: Create a new group with the specific groupid" { sudo groupadd --gid 3000 user3 - aa_check } -# bats test_tags=groupadd @test "groupdel: Delete newly created group" { sudo groupdel user2 sudo groupdel system2 sudo groupdel user3 - aa_check } diff --git a/tests/bats/groups.bats b/tests/bats/groups.bats index 829e2393..60bf6ea4 100644 --- a/tests/bats/groups.bats +++ b/tests/bats/groups.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=groups @test "groups: Print group memberships for the current user" { groups - aa_check } -# bats test_tags=groups @test "groups: Print group memberships for a list of users" { groups root - aa_check } diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 2ce62214..32ff3e57 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -10,50 +10,34 @@ setup_file() { skip } -# bats test_tags=homectl @test "homectl: Display help" { homectl --no-pager --help - aa_check } -# bats test_tags=homectl @test "homectl: Create a user account and their associated home directory" { sudo homectl create user2 - aa_check } -# bats test_tags=homectl @test "homectl: List user accounts and their associated home directories" { homectl list - aa_check } -# bats test_tags=homectl @test "homectl: Change the password for a specific user" { sudo homectl passwd user2 - aa_check } -# bats test_tags=homectl @test "homectl: Run a shell or a command with access to a specific home directory" { sudo homectl with user2 -- ls -al /home/user2 - aa_check } -# bats test_tags=homectl @test "homectl: Lock or unlock a specific home directory" { sudo homectl lock user2 - aa_check } -# bats test_tags=homectl @test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { sudo homectl resize user2 1G - aa_check } -# bats test_tags=homectl @test "homectl: Remove a specific user and the associated home directory" { sudo homectl remove user2 - aa_check } diff --git a/tests/bats/hostnamectl.bats b/tests/bats/hostnamectl.bats index dd410257..2c15658a 100644 --- a/tests/bats/hostnamectl.bats +++ b/tests/bats/hostnamectl.bats @@ -5,21 +5,14 @@ load common -setup() { - aa_setup -} - -# bats test_tags=hostnamectl @test "hostnamectl: Get the hostname of the computer" { hostnamectl } -# bats test_tags=hostnamectl @test "hostnamectl: Get the location of the computer" { hostnamectl location } -# bats test_tags=hostnamectl @test "hostnamectl: Set the hostname of the computer" { name=$(hostnamectl hostname) sudo hostnamectl set-hostname "new" diff --git a/tests/bats/id.bats b/tests/bats/id.bats index 5a7b58c5..a09def4a 100644 --- a/tests/bats/id.bats +++ b/tests/bats/id.bats @@ -5,41 +5,26 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=id @test "id: Display current user's ID (UID), group ID (GID) and groups to which they belong" { id - aa_check } -# bats test_tags=id @test "id: Display the current user identity" { id -un - aa_check } -# bats test_tags=id @test "id: Display the current user identity as a number" { id -u - aa_check } -# bats test_tags=id @test "id: Display the current primary group identity" { id -gn - aa_check } -# bats test_tags=id @test "id: Display the current primary group identity as a number" { id -g - aa_check } -# bats test_tags=id @test "id: Display an arbitrary user ID (UID), group ID (GID) and groups to which they belong" { id root } diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 47f16ccd..6d5508c8 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -5,41 +5,42 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=ip -@test "ip: List interfaces with detailed info" { +@test "ip-address: List network interfaces and their associated IP addresses" { ip address - aa_check } -# bats test_tags=ip -@test "ip: List interfaces with brief link layer info" { - ip link - aa_check +@test "ip-address: Filter to show only active network interfaces" { + ip address show up } -# bats test_tags=ip -@test "ip: Display the routing table" { +@test "ip-route: Display the routing table" { ip route - aa_check } -# bats test_tags=ip -@test "ip: Show neighbors (ARP table)" { +@test "ip-route-get: Print route to a destination" { + ip route get 1.1.1.1 +} + +@test "ip link: Show information about all network interfaces" { + ip link +} + +@test "ip neighbour: Display the neighbour/ARP table entries" { ip neighbour - aa_check } -# bats test_tags=ip +@test "ip rule: Display the routing policy" { + ip rule show + ip rule list +} + +@test "ip rule: Flush all deleted rules" { + ip rule flush +} + @test "ip: Manage network namespace" { sudo ip netns add foo sudo ip netns list sudo ip netns exec foo bash -c "pwd" sudo ip netns delete foo - aa_check } - - diff --git a/tests/bats/lsblk.bats b/tests/bats/lsblk.bats index 4fecf42a..4dc3e20b 100644 --- a/tests/bats/lsblk.bats +++ b/tests/bats/lsblk.bats @@ -5,54 +5,34 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lsblk @test "lsblk: List all storage devices in a tree-like format" { lsblk - aa_check } -# bats test_tags=lsblk @test "lsblk: Also list empty devices" { lsblk -a - aa_check } -# bats test_tags=lsblk @test "lsblk: Print the SIZE column in bytes rather than in a human-readable format" { lsblk -b - aa_check } -# bats test_tags=lsblk @test "lsblk: Output info about filesystems" { lsblk -f - aa_check } -# bats test_tags=lsblk @test "lsblk: Use ASCII characters for tree formatting" { lsblk -i - aa_check } -# bats test_tags=lsblk @test "lsblk: Output info about block-device topology" { lsblk -t - aa_check } -# bats test_tags=lsblk @test "lsblk: Exclude the devices specified by the comma-separated list of major device numbers" { lsblk -e 1 - aa_check } -# bats test_tags=lsblk @test "lsblk: Display a customized summary using a comma-separated list of columns" { lsblk --output NAME,SERIAL,MODEL,TRAN,TYPE,SIZE,FSTYPE,MOUNTPOINT - aa_check } diff --git a/tests/bats/lscpu.bats b/tests/bats/lscpu.bats index ef09cfbb..d0959906 100644 --- a/tests/bats/lscpu.bats +++ b/tests/bats/lscpu.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lscpu @test "lscpu: Display information about all CPUs" { lscpu - aa_check } -# bats test_tags=lscpu @test "lscpu: Display information in a table" { lscpu --extended - aa_check } -# bats test_tags=lscpu @test "lscpu: Display only information about offline CPUs in a table" { lscpu --extended --offline - aa_check } diff --git a/tests/bats/lspci.bats b/tests/bats/lspci.bats index bc6ea201..02190660 100644 --- a/tests/bats/lspci.bats +++ b/tests/bats/lspci.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lspci @test "lspci: Show a brief list of devices" { lspci - aa_check } -# bats test_tags=lspci @test "lspci: Display additional info" { lspci -v - aa_check } -# bats test_tags=lspci @test "lspci: Display drivers and modules handling each device" { lspci -k - aa_check } -# bats test_tags=lspci @test "lspci: Show a specific device" { lspci -s 00:00.0 - aa_check } -# bats test_tags=lspci @test "lspci: Dump info in a readable form" { lspci -vm - aa_check } diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats index 8f646d89..f5444fce 100644 --- a/tests/bats/lsusb.bats +++ b/tests/bats/lsusb.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lsusb @test "lsusb: List all the USB devices available" { lsusb || true - aa_check } -# bats test_tags=lsusb @test "lsusb: List the USB hierarchy as a tree" { lsusb -t || true - aa_check } -# bats test_tags=lsusb @test "lsusb: List verbose information about USB devices" { lsusb --verbose || true - aa_check } diff --git a/tests/bats/ps.bats b/tests/bats/ps.bats index 4be301f7..bcdfbe1b 100644 --- a/tests/bats/ps.bats +++ b/tests/bats/ps.bats @@ -5,42 +5,26 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=ps @test "ps: List all running processes" { ps aux - aa_check } -# bats test_tags=ps @test "ps: List all running processes including the full command string" { ps auxww - aa_check } -# bats test_tags=ps @test "ps: List all processes of the current user in extra full format" { ps --user "$(id -u)" -F - aa_check } -# bats test_tags=ps @test "ps: List all processes of the current user as a tree" { ps --user "$(id -u)" -f - aa_check } -# bats test_tags=ps @test "ps: Get the parent PID of a process" { ps -o ppid= -p 1 - aa_check } -# bats test_tags=ps @test "ps: Sort processes by memory consumption" { ps auxww --sort size - aa_check } diff --git a/tests/bats/pstree.bats b/tests/bats/pstree.bats index e3ed5fa8..23094478 100644 --- a/tests/bats/pstree.bats +++ b/tests/bats/pstree.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=pstree @test "pstree: Display a tree of processes" { pstree - aa_check } -# bats test_tags=pstree @test "pstree: Display a tree of processes with PIDs" { pstree -p - aa_check } -# bats test_tags=pstree @test "pstree: Display all process trees rooted at processes owned by specified user" { pstree root - aa_check } diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats index ef6a292d..1eff200a 100644 --- a/tests/bats/snap.bats +++ b/tests/bats/snap.bats @@ -5,48 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=snap @test "snap: Search for a package" { snap find vim - aa_check } -# bats test_tags=snap @test "snap: Install a package" { sudo snap install nano-strict - aa_check } -# bats test_tags=snap @test "snap: Update a package to another channel (track, risk, or branch)" { sudo snap refresh nano-strict --channel=edge - aa_check } -# bats test_tags=snap @test "snap: Update all packages" { sudo snap refresh - aa_check } -# bats test_tags=snap @test "snap: Display basic information about installed snap software" { sudo snap list - aa_check } -# bats test_tags=snap @test "snap: Check for recent snap changes in the system" { sudo snap changes - aa_check } -# bats test_tags=snap @test "snap: Uninstall a package" { sudo snap remove nano-strict - aa_check } diff --git a/tests/bats/sync.bats b/tests/bats/sync.bats index fba657ff..9f2e2688 100644 --- a/tests/bats/sync.bats +++ b/tests/bats/sync.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=sync @test "sync: Flush all pending write operations on all disks" { sync - aa_check } -# bats test_tags=sync @test "sync: Flush all pending write operations on a single file to disk" { sudo sync / - aa_check } diff --git a/tests/bats/systemd-ac-power.bats b/tests/bats/systemd-ac-power.bats index 78f68d13..30019825 100644 --- a/tests/bats/systemd-ac-power.bats +++ b/tests/bats/systemd-ac-power.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-ac-power @test "systemd-ac-power: Report whether we are connected to an external power source." { systemd-ac-power || true - aa_check } -# bats test_tags=systemd-ac-power @test "systemd-ac-power: Check if battery is discharging and low" { systemd-ac-power --low || true - aa_check } diff --git a/tests/bats/systemd-analyze.bats b/tests/bats/systemd-analyze.bats index 3f6144a7..6bb275bb 100644 --- a/tests/bats/systemd-analyze.bats +++ b/tests/bats/systemd-analyze.bats @@ -5,25 +5,16 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-analyze @test "systemd-analyze: List all running units, ordered by the time they took to initialize" { systemd-analyze --no-pager blame - aa_check } -# bats test_tags=systemd-analyze @test "systemd-analyze: Print a tree of the time-critical chain of units" { systemd-analyze --no-pager critical-chain - aa_check } -# bats test_tags=systemd-analyze @test "systemd-analyze: Show security scores of running units" { systemd-analyze --no-pager security - aa_check } + diff --git a/tests/bats/systemd-cat.bats b/tests/bats/systemd-cat.bats index 595a6002..da634982 100644 --- a/tests/bats/systemd-cat.bats +++ b/tests/bats/systemd-cat.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-cat @test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { systemd-cat pwd - aa_check } -# bats test_tags=systemd-cat @test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { echo apparmor.d-test-suite | systemd-cat - aa_check } diff --git a/tests/bats/systemd-cgls.bats b/tests/bats/systemd-cgls.bats index b5bb89de..dca00b62 100644 --- a/tests/bats/systemd-cgls.bats +++ b/tests/bats/systemd-cgls.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-cgls @test "systemd-cgls: Display the whole control group hierarchy on your system" { systemd-cgls --no-pager - aa_check } -# bats test_tags=systemd-cgls @test "systemd-cgls: Display a control group tree of a specific resource controller" { systemd-cgls --no-pager io - aa_check } -# bats test_tags=systemd-cgls @test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { systemd-cgls --no-pager --unit systemd-logind - aa_check } diff --git a/tests/bats/systemd-detect-virt.bats b/tests/bats/systemd-detect-virt.bats index 0ea5fae3..41150ef7 100644 --- a/tests/bats/systemd-detect-virt.bats +++ b/tests/bats/systemd-detect-virt.bats @@ -3,23 +3,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# bats test_tags=systemd-detect-virt +load common + @test "systemd-detect-virt: List detectable virtualization technologies" { systemd-detect-virt --list } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { - systemd-detect-virt + systemd-detect-virt || true } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Silently check without printing anything" { - systemd-detect-virt --quiet + systemd-detect-virt --quiet || true } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Only detect hardware virtualization" { - systemd-detect-virt --vm + systemd-detect-virt --vm || true } diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats index 9a9def4d..67bf5907 100644 --- a/tests/bats/systemd-id128.bats +++ b/tests/bats/systemd-id128.bats @@ -5,31 +5,19 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-id128 @test "systemd-id128: Generate a new random identifier" { systemd-id128 new - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Print the identifier of the current machine" { systemd-id128 machine-id - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Print the identifier of the current boot" { systemd-id128 boot-id - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { systemd-id128 new --uuid - aa_check } diff --git a/tests/bats/systemd-sysusers.bats b/tests/bats/systemd-sysusers.bats index f4230d6b..0816fd45 100644 --- a/tests/bats/systemd-sysusers.bats +++ b/tests/bats/systemd-sysusers.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { systemd-sysusers --cat-config - aa_check } -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { systemd-sysusers --dry-run - aa_check } -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Create users and groups from all configuration file" { sudo systemd-sysusers - aa_check } diff --git a/tests/bats/uname.bats b/tests/bats/uname.bats index 683cef11..8723b9fe 100644 --- a/tests/bats/uname.bats +++ b/tests/bats/uname.bats @@ -5,55 +5,35 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uname @test "uname: Print all information" { uname --all - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel name" { uname --kernel-name - aa_check } -# bats test_tags=uname @test "uname: Print the current network node host name" { uname --nodename - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel release" { uname --kernel-release - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel version" { uname --kernel-version - aa_check } -# bats test_tags=uname @test "uname: Print the current machine hardware name" { uname --machine - aa_check } -# bats test_tags=uname @test "uname: Print the current processor type" { uname --processor - aa_check } -# bats test_tags=uname @test "uname: Print the current operating system name" { uname --operating-system - aa_check } diff --git a/tests/bats/upower.bats b/tests/bats/upower.bats index 73afc18e..3917621b 100644 --- a/tests/bats/upower.bats +++ b/tests/bats/upower.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=upower @test "upower: Display power and battery information" { upower --dump - aa_check } -# bats test_tags=upower @test "upower: List all power devices" { upower --enumerate - aa_check } -# bats test_tags=upower @test "upower: Display version" { upower --version - aa_check } diff --git a/tests/bats/uptime.bats b/tests/bats/uptime.bats index 846342f4..7b64e8d2 100644 --- a/tests/bats/uptime.bats +++ b/tests/bats/uptime.bats @@ -5,31 +5,19 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uptime @test "uptime: Print current time, uptime, number of logged-in users and other information" { uptime - aa_check } -# bats test_tags=uptime @test "uptime: Show only the amount of time the system has been booted for" { uptime --pretty - aa_check } -# bats test_tags=uptime @test "uptime: Print the date and time the system booted up at" { uptime --since - aa_check } -# bats test_tags=uptime @test "uptime: Display version" { uptime --version - aa_check } diff --git a/tests/bats/useradd.bats b/tests/bats/useradd.bats index 833e0160..5ac024f1 100644 --- a/tests/bats/useradd.bats +++ b/tests/bats/useradd.bats @@ -5,45 +5,28 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=useradd @test "useradd: Create a new user with the specified shell" { sudo useradd --shell /bin/bash --create-home user2 - aa_check } -# bats test_tags=useradd @test "useradd: Create a new user with the specified user ID" { sudo useradd --uid 3000 user3 - aa_check } -# bats test_tags=useradd @test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { sudo useradd --groups adm user4 - aa_check } - -# bats test_tags=useradd @test "useradd: Create a new system user without the home directory" { sudo useradd --system sys2 - aa_check } -# bats test_tags=userdel @test "userdel: Remove a user" { sudo userdel user3 sudo userdel user4 sudo userdel sys2 - aa_check } -# bats test_tags=userdel @test "userdel: Remove a user along with the home directory and mail spool" { sudo userdel --remove user2 - aa_check } diff --git a/tests/bats/userdbctl.bats b/tests/bats/userdbctl.bats index 6169de44..065dba5f 100644 --- a/tests/bats/userdbctl.bats +++ b/tests/bats/userdbctl.bats @@ -5,37 +5,23 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=userdbctl @test "userdbctl: List all known user records" { userdbctl --no-pager user - aa_check } -# bats test_tags=userdbctl @test "userdbctl: Show details of a specific user" { userdbctl --no-pager user "$USER" - aa_check } -# bats test_tags=userdbctl @test "userdbctl: List all known groups" { userdbctl --no-pager group - aa_check } -# bats test_tags=userdbctl @test "userdbctl: Show details of a specific group" { sudo userdbctl --no-pager group "$USER" - aa_check } -# bats test_tags=userdbctl @test "userdbctl: List all services currently providing user/group definitions to the system" { userdbctl --no-pager services - aa_check } diff --git a/tests/bats/users.bats b/tests/bats/users.bats index 097870ab..8f8ad383 100644 --- a/tests/bats/users.bats +++ b/tests/bats/users.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=users @test "users: Print logged in usernames" { users - aa_check } -# bats test_tags=users @test "users: Print logged in usernames according to a given file" { users /var/log/wmtp - aa_check } diff --git a/tests/bats/uuidd.bats b/tests/bats/uuidd.bats index e13653e3..9e3ac5ef 100644 --- a/tests/bats/uuidd.bats +++ b/tests/bats/uuidd.bats @@ -5,25 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uuidd @test "uuidd: Generate a random UUID" { uuidd --random - aa_check } -# bats test_tags=uuidd @test "uuidd: Generate a bulk number of random UUIDs" { uuidd --random --uuids 10 - aa_check } -# bats test_tags=uuidd @test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { uuidd --time - aa_check } - diff --git a/tests/bats/uuidgen.bats b/tests/bats/uuidgen.bats index 8caa4186..eb6465c0 100644 --- a/tests/bats/uuidgen.bats +++ b/tests/bats/uuidgen.bats @@ -5,19 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uuidgen @test "uuidgen: Create a random UUIDv4" { uuidgen --random - aa_check } -# bats test_tags=uuidgen @test "uuidgen: Create a UUIDv1 based on the current time" { uuidgen --time - aa_check } - diff --git a/tests/bats/w.bats b/tests/bats/w.bats index 7f358aac..1b97ba44 100644 --- a/tests/bats/w.bats +++ b/tests/bats/w.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=w @test "w: Display information about all users who are currently logged in" { w - aa_check } -# bats test_tags=w @test "w: Display information about a specific user" { w root - aa_check } diff --git a/tests/bats/who.bats b/tests/bats/who.bats index f8aaf5a1..c05995d0 100644 --- a/tests/bats/who.bats +++ b/tests/bats/who.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=who @test "who: Display the username, line, and time of all currently logged-in sessions" { who - aa_check } -# bats test_tags=who @test "who: Display all available information" { who -a - aa_check } -# bats test_tags=who @test "who: Display all available information with table headers" { who -a -H - aa_check } diff --git a/tests/cmd/main.go b/tests/cmd/main.go index 5ca94819..eb88de1e 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -68,7 +68,6 @@ func run() error { if err != nil { return err } - tests = tests.Filter() if err := cfg.BatsDir.RemoveAll(); err != nil { return err @@ -76,6 +75,12 @@ func run() error { if err := cfg.BatsDir.MkdirAll(); err != nil { return err } + if err := cfg.BatsDir.Join("profiled").MkdirAll(); err != nil { + return err + } + if err := cfg.BatsDir.Join("unprofiled").MkdirAll(); err != nil { + return err + } for _, test := range tests { if err := test.Write(cfg.BatsDir); err != nil { return err diff --git a/tests/cmd/tests.go b/tests/cmd/tests.go index 2d37324e..1c5f55ae 100644 --- a/tests/cmd/tests.go +++ b/tests/cmd/tests.go @@ -20,16 +20,10 @@ const tmplTest = `#!/usr/bin/env bats # SPDX-License-Identifier: GPL-2.0-only load common - -setup_file() { - aa_setup -} {{ $name := .Name -}} {{ range .Commands }} -# bats test_tags={{ $name }} @test "{{ $name }}: {{ .Description }}" { {{ .Cmd }} - aa_check } {{ end }} ` @@ -77,13 +71,14 @@ func (t Test) IsInstalled() bool { } func (t Test) Write(dir *paths.Path) error { + dstDir := dir.Join("profiled") if !t.HasProfile() { - return nil + dstDir = dir.Join("unprofiled") } + path := dstDir.Join(t.Name + ".bats") - path := dir.Join(t.Name + ".bats") if paths.New("tests/bats").Join(t.Name + ".bats").Exist() { - path = dir.Join("00." + t.Name + ".bats") + path = dstDir.Join("00." + t.Name + ".bats") } content := renderBatsFile(t) if err := path.WriteFile([]byte(content)); err != nil { From 4656a4933582bed15c5945e2694b95368feb4fe8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:35:39 +0000 Subject: [PATCH 41/64] fix(ci): remove forced color from github action. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b56d69c6..911bd402 100644 --- a/Makefile +++ b/Makefile @@ -113,7 +113,7 @@ check: .PHONY: bats bats: - @bats --pretty --print-output-on-failure tests/bats/ + @bats --timing --print-output-on-failure tests/bats/ .PHONY: manual manual: From 3eba6bef6d1ca65cac30393c435396d85990a077 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:49:03 +0000 Subject: [PATCH 42/64] fix(tests): missing sudo in ip integration test. --- tests/bats/ip.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 6d5508c8..163213fa 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -35,7 +35,7 @@ load common } @test "ip rule: Flush all deleted rules" { - ip rule flush + sudo ip rule flush } @test "ip: Manage network namespace" { From e149e7753871350d561b68c9fe19ee94455fe53e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:52:12 +0000 Subject: [PATCH 43/64] fix(profile): dhcpcd executes resolvconf fix #608 --- apparmor.d/groups/network/dhcpcd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index ebb86197..c1b5d04c 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -35,6 +35,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, + @{bin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, From 688317fbe320ab9634e87af7be0b47ee2ba7bd15 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:57:54 +0000 Subject: [PATCH 44/64] feat(abs): vulkan allow write access to builtin_shaders. See #577 --- apparmor.d/abstractions/vulkan-strict | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index edb25828..d4dd2fae 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -19,6 +19,7 @@ owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw, owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache + owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w, owner @{user_share_dirs}/vulkan/ rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw, From a61460b60cdd84f380ef2c90ddd5b567d4d5da35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 22:16:18 +0000 Subject: [PATCH 45/64] feat(abs): add the wine abstraction. --- apparmor.d/abstractions/wine | 20 ++++++++++++++++++++ apparmor.d/profiles-s-z/steam-game-proton | 9 +-------- 2 files changed, 21 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/abstractions/wine diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine new file mode 100644 index 00000000..139b0345 --- /dev/null +++ b/apparmor.d/abstractions/wine @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Basic set of resources for wine regardless of the installation method (system or through a game launcher). + + abi , + + owner @{user_share_dirs}/applications/wine/ rw, + owner @{user_share_dirs}/applications/wine/**/ rw, + + owner @{tmp}/.wine-@{uid}/ rw, + owner @{tmp}/.wine-@{uid}/** rwk, + + owner /dev/shm/wine-@{hex6}-fsync rw, + owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index dfa8b84d..46f296c4 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -18,6 +18,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -79,19 +80,11 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner @{share_dirs}/legacycompat/** mr, owner @{share_dirs}/steamapps/compatdata/{,**} rwk, - owner @{user_share_dirs}/applications/wine/ rw, - owner @{user_share_dirs}/applications/wine/**/ rw, - - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, owner @{tmp}/glx-icds-@{rand6}/{,**} w, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w, - owner /dev/shm/wine-@{hex6}-fsync rw, - owner /dev/shm/wine-@{hex6}@{h}-fsync rw, - @{run}/host/fonts/{,**} r, @{run}/host/share/{,**} r, @{run}/host/usr/{,**} r, From df02f7a0fd9275c5710254013e55fcde70b23a55 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 22:58:42 +0000 Subject: [PATCH 46/64] tests: remove hanged test --- tests/bats/ip.bats | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 163213fa..585d11b2 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -34,10 +34,6 @@ load common ip rule list } -@test "ip rule: Flush all deleted rules" { - sudo ip rule flush -} - @test "ip: Manage network namespace" { sudo ip netns add foo sudo ip netns list From 815e9bfda2119268165b7a30cf763ae9abf5a65a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 23:07:41 +0000 Subject: [PATCH 47/64] feat(profile): general update. --- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/common/bwrap | 7 +++++-- apparmor.d/groups/bus/dbus-accessibility | 4 ++++ apparmor.d/groups/bus/dbus-session | 4 ++++ apparmor.d/groups/bus/dbus-system | 1 + apparmor.d/groups/gnome/gnome-session | 3 +++ apparmor.d/groups/gnome/gnome-shell | 5 ++--- apparmor.d/groups/gnome/loupe | 2 +- .../groups/gnome/org.gnome.NautilusPreviewer | 2 +- apparmor.d/groups/network/networkd-dispatcher | 1 + apparmor.d/groups/pacman/yay | 1 + apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 3 ++- apparmor.d/profiles-s-z/snap-seccomp | 2 ++ apparmor.d/profiles-s-z/spotify | 2 ++ apparmor.d/profiles-s-z/steam-game-proton | 1 + apparmor.d/profiles-s-z/tlp | 17 ++++++++++------- 17 files changed, 42 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index c749bf25..87865197 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -101,7 +101,7 @@ owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, - owner @{tmp}/tmpaddon r, + owner @{tmp}/tmpaddon rw, owner @{tmp}/tmpaddon-@{int} r, owner /dev/shm/org.chromium.@{rand6} rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index b5b119d0..65bc2837 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -44,8 +44,11 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, - @{PROC}/sys/kernel/overflowgid r, - @{PROC}/sys/kernel/overflowuid r, + @{PROC}/sys/kernel/overflowgid r, + @{PROC}/sys/kernel/overflowuid r, + @{PROC}/sys/user/max_user_namespaces r, + owner @{PROC}/@{pid}/fd/ r, + @{att}/@{PROC}/sys/user/max_user_namespaces rw, owner @{att}/@{PROC}/@{pid}/cgroup r, owner @{att}/@{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 1a4b83e2..e8f0328a 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -28,6 +28,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us + dbus receive bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=@{busname}), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index ecec3cb4..014f7afd 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,6 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} + dbus receive bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index a569a734..0296a262 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,6 +36,7 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus + member=Hello peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index cf17391b..79886827 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -17,6 +17,7 @@ profile gnome-session @{exec_path} { @{shells_path} rix, @{bin}/cat rix, + @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, @{bin}/grep rix, @@ -32,6 +33,7 @@ profile gnome-session @{exec_path} { @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rPx, + @{bin}/xargs rix, @{bin}/dpkg-query rpx, @{bin}/flatpak rCx -> flatpak, @@ -57,6 +59,7 @@ profile gnome-session @{exec_path} { /etc/X11/Xsession.d/*im-config_launch r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7cc73949..f52340d4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -198,10 +198,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/libgweather/Locations.xml r, - /usr/share/libinput*/ r, - /usr/share/libinput*/{,**/}@{int2}-*.quirks r, - /usr/share/libinput*/libinput/ r, + /usr/share/libinput*/{,**} r, /usr/share/libwacom/{,*.stylus,*.tablet} r, + /usr/share/poppler/{,**} r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 10853ea8..75835395 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -17,7 +17,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - signal (send) set=(kill) peer=loupe//bwrap, + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 2d06a9ab..cdc563e0 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/org.gnome.NautilusPreviewer -profile org.gnome.NautilusPreviewer @{exec_path} { +profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index de8f9ccb..63291093 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -26,6 +26,7 @@ profile networkd-dispatcher @{exec_path} { @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, + @{lib}/NetworkManager/dispatcher.d/@{int}-chrony-onoffline rix, /etc/networkd-dispatcher/{,**} r, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index e101fc06..52c2de34 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -84,6 +84,7 @@ profile yay @{exec_path} { @{bin}/gpg{,2} mr, @{bin}/gpg-agent rPx, + @{bin}/dirmngr rPx, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 2638ad0e..5ae75413 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -49,7 +49,7 @@ profile evince @{exec_path} { owner @{user_config_dirs}/evince/{,*} rw, owner @{tmp}/*.pdf r, - owner @{tmp}/evince-*/{,**} rw, + owner @{tmp}/evince-@{int}/{,**} rw, owner @{tmp}/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 774dfa9f..6585f638 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -87,10 +87,11 @@ profile mkinitramfs @{exec_path} { /var/tmp/ r, /var/tmp/modules_@{rand6} rw, - /var/tmp/mkinitramfs_@{rand6}/@{lib}/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**, owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 235ef208..6b0917f8 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -20,6 +20,8 @@ profile snap-seccomp @{exec_path} { @{lib_dirs}/**.so* mr, + @{bin}/getent rix, + /var/lib/snapd/seccomp/bpf/{,**} rw, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8ccbbf0f..41219a4f 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -26,6 +26,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sh_path} mr, @{bin}/grep rix, @{open_path} rPx -> child-open-strict, @@ -44,6 +45,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, @{PROC}/pressure/* r, + @{PROC}/@{pid}/net/unix r, owner @{PROC}/@{pid}/clear_refs w, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index 46f296c4..ab82925a 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -76,6 +76,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner @{share_dirs}/*.dll r, owner @{share_dirs}/bin/ r, + owner @{share_dirs}/installscriptevalutor_log.txt rw, owner @{share_dirs}/legacycompat/ r, owner @{share_dirs}/legacycompat/** mr, owner @{share_dirs}/steamapps/compatdata/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 0378e62f..153ded88 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -45,7 +45,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sort rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @@ -63,30 +63,33 @@ profile tlp @{exec_path} flags=(attach_disconnected) { /var/lib/tlp/{,**} rw, /var/lib/power-profiles-daemon/state.ini rw, + owner /tmp/tlp-run.conf_tmp@{rand6} rw, + owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, @{run}/udev/data/+platform:* r, + @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/{,**/}power/control w, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/module/pcie_aspm/parameters/policy rw, - @{sys}/module/snd_hda_intel/parameters/power_save rw, - @{sys}/module/snd_hda_intel/parameters/power_save_controller rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, + @{sys}/module/*/parameters/power_save rw, + @{sys}/module/*/parameters/power_save_controller rw, + @{sys}/module/pcie_aspm/parameters/policy rw, owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, owner @{PROC}/sys/kernel/nmi_watchdog rw, owner @{PROC}/sys/vm/dirty_*_centisecs rw, owner @{PROC}/sys/vm/laptop_mode rw, - /dev/disk/by-id/ r, - /dev/tty rw, - profile systemctl { include include + capability net_admin, + include if exists } From 4a5fa74e6310cb3aec022f6da56a2229ebecfd52 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 23:43:17 +0000 Subject: [PATCH 48/64] tests: enable the homectl tests. --- tests/bats/homectl.bats | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 32ff3e57..3d506f67 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -5,11 +5,6 @@ load common -setup_file() { - aa_setup - skip -} - @test "homectl: Display help" { homectl --no-pager --help } From 5ef78b1e6c03a0bddb295d8369dc2eea15adcd5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 20 Nov 2024 00:08:26 +0000 Subject: [PATCH 49/64] tests: add dmesg.bats --- apparmor.d/profiles-a-f/dmesg | 2 +- tests/bats/dmesg.bats | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 tests/bats/dmesg.bats diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 68fa1329..6abc40c3 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -17,7 +17,7 @@ profile dmesg @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{pager_path} rPx -> child-pager, /usr/share/terminfo/** r, diff --git a/tests/bats/dmesg.bats b/tests/bats/dmesg.bats new file mode 100644 index 00000000..722b3204 --- /dev/null +++ b/tests/bats/dmesg.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "dmesg: Show kernel messages" { + sudo dmesg +} + +@test "dmesg: Show kernel error messages" { + sudo dmesg --level err +} + +@test "dmesg: Show how much physical memory is available on this system" { + sudo dmesg | grep -i memory +} + +@test "dmesg: Show kernel messages with a timestamp (available in kernels 3.5.0 and newer)" { + sudo dmesg -T +} + +@test "dmesg: Show kernel messages in human-readable form (available in kernels 3.5.0 and newer)" { + sudo dmesg -H +} + +@test "dmesg: Colorize output (available in kernels 3.5.0 and newer)" { + sudo dmesg -L +} From edad2e19842e3f74d1f58a724742e01557044e08 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 20 Nov 2024 00:11:57 +0000 Subject: [PATCH 50/64] tests: ensure systemd-homed is started before the homectl test. --- tests/bats/homectl.bats | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 3d506f67..656a3407 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -5,6 +5,12 @@ load common +setup_file() { + sudo systemctl start systemd-homed + skip + aa_setup +} + @test "homectl: Display help" { homectl --no-pager --help } From 685105a662369df09db9263d28291a529478db1c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 20 Nov 2024 00:12:31 +0000 Subject: [PATCH 51/64] tests: add fwupdmgr.bats --- tests/bats/fwupdmgr.bats | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 tests/bats/fwupdmgr.bats diff --git a/tests/bats/fwupdmgr.bats b/tests/bats/fwupdmgr.bats new file mode 100644 index 00000000..2eb8282c --- /dev/null +++ b/tests/bats/fwupdmgr.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "fwupdmgr: Display all devices detected by fwupd" { + fwupdmgr get-devices +} + +@test "fwupdmgr: Download the latest firmware metadata from LVFS" { + fwupdmgr refresh +} + +@test "fwupdmgr: List the updates available for devices on your system" { + fwupdmgr get-updates +} + +@test "fwupdmgr: Install firmware updates" { + fwupdmgr update +} + From 2332f71b17cce7550f6d7aa42b805ba0c00a3550 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 20 Nov 2024 00:14:22 +0000 Subject: [PATCH 52/64] tests: add groupmod. --- tests/bats/groupadd.bats | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tests/bats/groupadd.bats b/tests/bats/groupadd.bats index cbc0aa57..d93b1a69 100644 --- a/tests/bats/groupadd.bats +++ b/tests/bats/groupadd.bats @@ -17,8 +17,16 @@ load common sudo groupadd --gid 3000 user3 } +@test "groupmod: Change the group name" { + sudo groupmod --new-name user22 user2 +} + +@test "groupmod: Change the group ID" { + sudo groupmod --gid 2222 user22 +} + @test "groupdel: Delete newly created group" { - sudo groupdel user2 + sudo groupdel user22 sudo groupdel system2 sudo groupdel user3 } From ffd6ecba5b7383c990dca68dbd877b835f41dc33 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:15:56 +0000 Subject: [PATCH 53/64] fix(tests): ensure fwupdmgr don't fail even if the target does not support firmware update. --- tests/bats/fwupdmgr.bats | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/bats/fwupdmgr.bats b/tests/bats/fwupdmgr.bats index 2eb8282c..332a6374 100644 --- a/tests/bats/fwupdmgr.bats +++ b/tests/bats/fwupdmgr.bats @@ -10,14 +10,14 @@ load common } @test "fwupdmgr: Download the latest firmware metadata from LVFS" { - fwupdmgr refresh + fwupdmgr refresh || true } @test "fwupdmgr: List the updates available for devices on your system" { - fwupdmgr get-updates + fwupdmgr get-updates || true } @test "fwupdmgr: Install firmware updates" { - fwupdmgr update + fwupdmgr update || true } From 8d4d17fa340e6ee5a541eec95acfcf76a01af4c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:26:57 +0000 Subject: [PATCH 54/64] feat(profile): add fc-match & fc-pattern. --- apparmor.d/groups/freedesktop/fc-list | 2 +- tests/bats/fc-list.bats | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index ffe996c5..6254b245 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fc-list +@{exec_path} = @{bin}/fc-list @{bin}/fc-match @{bin}/fc-pattern profile fc-list @{exec_path} { include include diff --git a/tests/bats/fc-list.bats b/tests/bats/fc-list.bats index 52ed4388..12b1df2c 100644 --- a/tests/bats/fc-list.bats +++ b/tests/bats/fc-list.bats @@ -8,3 +8,15 @@ load common @test "fc-list: Return a list of installed fonts in your system" { fc-list } + +@test "fc-match: Return a sorted list of best matching fonts" { + fc-match -s 'DejaVu Serif' +} + +@test "fc-pattern: Display default information about a font" { + fc-pattern --default 'DejaVu Serif' +} + +@test "fc-pattern: Display configuration information about a font" { + fc-pattern --config 'DejaVu Serif' +} From 5237ab39892908feeb20b100434245d9ce7c75f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:33:07 +0000 Subject: [PATCH 55/64] test(integration): add sysctl. --- tests/bats/sysctl.bats | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 tests/bats/sysctl.bats diff --git a/tests/bats/sysctl.bats b/tests/bats/sysctl.bats new file mode 100644 index 00000000..171ee98a --- /dev/null +++ b/tests/bats/sysctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "sysctl: Show all available variables and their values" { + sysctl -a +} + +@test "sysctl: Set a changeable kernel state variable" { + sudo sysctl -w vm.panic_on_oom=0 +} + +@test "sysctl: Get currently open file handlers" { + sysctl fs.file-nr +} + +@test "sysctl: Get limit for simultaneous open files" { + sysctl fs.file-max +} + +@test "sysctl: Apply changes from `/etc/sysctl.conf`" { + sysctl -p +} + From 3960f20f00a0e53bada503210f6809e0caff247a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:39:55 +0000 Subject: [PATCH 56/64] feat(profile): add needrestart-vmlinuz-get-version & tests for needrestart. --- apparmor.d/profiles-m-r/needrestart | 11 ++++-- .../needrestart-vmlinuz-get-version | 30 ++++++++++++++++ tests/bats/needrestart.bats | 34 +++++++++++++++++++ 3 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version create mode 100644 tests/bats/needrestart.bats diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 37a1c90a..f5722ed3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -35,11 +35,11 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, - @{bin}/udevadm rPx, + @{bin}/udevadm rCx -> udevadm, @{bin}/unix_chkpwd rPx, @{bin}/whiptail rPx, @{bin}/who rix, - @{lib}/needrestart/iucode-scan-versions rPx, + @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, @{bin}/networkd-dispatcher r, @@ -88,6 +88,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + profile udevadm { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version new file mode 100644 index 00000000..f7e9d76a --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/needrestart/vmlinuz-get-version +profile needrestart-vmlinuz-get-version @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/grep rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, + + /boot/vmlinuz* r, + + owner @{tmp}/tmp.@{rand10} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/bats/needrestart.bats b/tests/bats/needrestart.bats new file mode 100644 index 00000000..4676b36a --- /dev/null +++ b/tests/bats/needrestart.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "needrestart: List outdated processes" { + needrestart +} + +@test "needrestart: Interactively restart services" { + sudo needrestart +} + +@test "needrestart: List outdated processes in verbose mode" { + needrestart -v +} + +@test "needrestart: Check if the kernel is outdated" { + needrestart -k +} + +@test "needrestart: Check if the CPU microcode is outdated" { + needrestart -w +} + +@test "needrestart: List outdated processes in batch mode" { + needrestart -b +} + +@test "needrestart: Display help" { + needrestart --help +} From 23eb08344cc0707e57bd9a912eba79d08755bb65 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:02:16 +0000 Subject: [PATCH 57/64] fix(tunable): udbus can be any hex up to 16. --- apparmor.d/tunables/multiarch.d/system | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 78bb73b0..cc4192d2 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -123,7 +123,7 @@ @{busname}=:1.@{u16} :not.active.yet # Unix dbus address prefix -@{udbus}=@{hex15} @{hex16} +@{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} # Universally unique identifier @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} From 33a66ef6a2a38baacacb7745e617a4ea125cb7f8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:22:52 +0000 Subject: [PATCH 58/64] fix(integration): disable needrestart test due to upstream issue. --- tests/bats/needrestart.bats | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/bats/needrestart.bats b/tests/bats/needrestart.bats index 4676b36a..567f8c77 100644 --- a/tests/bats/needrestart.bats +++ b/tests/bats/needrestart.bats @@ -5,6 +5,10 @@ load common +setup_file() { + skip "mqueue raised despite the rule being present. See https://gitlab.com/apparmor/apparmor/-/issues/362" +} + @test "needrestart: List outdated processes" { needrestart } From 36d787fa4472747903571d7766b205ce7c3ce431 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:53:24 +0000 Subject: [PATCH 59/64] feat(abs): add abstraction/webkit. --- apparmor.d/abstractions/webkit | 31 +++++++++++++++++++++++++++++ apparmor.d/groups/browsers/epiphany | 16 +-------------- apparmor.d/profiles-a-f/foliate | 15 +------------- 3 files changed, 33 insertions(+), 29 deletions(-) create mode 100644 apparmor.d/abstractions/webkit diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit new file mode 100644 index 00000000..c4410d02 --- /dev/null +++ b/apparmor.d/abstractions/webkit @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for webkit UI. + + abi , + + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + + @{bin}/xdg-dbus-proxy rix, + + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + + owner /bindfile@{rand6} rw, + owner @{att}/.flatpak-info r, + + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 98f21f47..b08a6b00 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -19,6 +19,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -28,21 +29,14 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{exec_path} mr, @{open_path} rPx -> child-open, @{bin}/bwrap rix, - @{bin}/xdg-dbus-proxy rix, - @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, /usr/share/enchant*/{,**} r, - owner /bindfile@{rand6} rw, - owner @{att}/.flatpak-info r, - owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, @@ -51,14 +45,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, - owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index b1c48540..f6380d12 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -15,6 +15,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -30,31 +31,17 @@ profile foliate @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rix, @{bin}/gjs-console rix, - @{bin}/xdg-dbus-proxy rix, @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open-help, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - /usr/share/com.github.johnfactotum.Foliate/{,**} r, - owner /bindfile@{rand6} rw, - owner /.flatpak-info r, - owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_cache_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, owner @{user_share_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Nautilus.slice/dbus*org.gnome.Nautilus@*.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-com.github.johnfactotum.Foliate-@{int}.scope/memory.* r, From 65f2d21558a20528f4b7b8b77276d5e436c1a391 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:53:59 +0000 Subject: [PATCH 60/64] feat(profile): add profile for tecla. --- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/tecla | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/tecla diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 00bc15f1..91f49c21 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -55,7 +55,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/grep rix, @{bin}/locale rix, @{bin}/sed rix, - @{bin}/tecla rix, + @{bin}/tecla rPx, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f52340d4..46273387 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -175,6 +175,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/Xwayland rPx, + @{bin}/tecla rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper diff --git a/apparmor.d/groups/gnome/tecla b/apparmor.d/groups/gnome/tecla new file mode 100644 index 00000000..082c6c92 --- /dev/null +++ b/apparmor.d/groups/gnome/tecla @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tecla +profile tecla @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From cb86f1c0763af93680e5cd2f9154b5253c7249f5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:08:48 +0000 Subject: [PATCH 61/64] feat(profile): general update. --- apparmor.d/groups/freedesktop/geoclue | 1 + .../groups/freedesktop/polkit-agent-helper | 2 +- .../groups/systemd/systemd-sleep-nvidia | 1 + .../groups/virt/containerd-shim-runc-v2 | 1 + apparmor.d/profiles-a-f/aa-notify | 2 +- apparmor.d/profiles-a-f/font-manager | 4 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gsettings | 5 +- apparmor.d/profiles-g-l/jami-gnome | 61 ------------------- apparmor.d/profiles-m-r/passimd | 4 +- apparmor.d/profiles-m-r/pidof | 2 +- apparmor.d/profiles-s-z/sudo | 10 +-- apparmor.d/profiles-s-z/udisksd | 3 + apparmor.d/profiles-s-z/virt-manager | 1 + 14 files changed, 17 insertions(+), 82 deletions(-) delete mode 100644 apparmor.d/profiles-g-l/jami-gnome diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 383360ad..4492c759 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index bb6e457f..7f5ecd10 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] @{exec_path} += @{lib}/polkit-agent-helper-[0-9] -profile polkit-agent-helper @{exec_path} { +profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 4ebb4851..2ca5d747 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -11,6 +11,7 @@ profile systemd-sleep-nvidia @{exec_path} { include include + capability perfmon, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index bff45ca3..4c370749 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -50,6 +50,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/oom_score_adj rw, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 7e901509..53c64daf 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -36,7 +36,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 81c53aaf..56941f60 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -11,11 +11,9 @@ include profile font-manager @{exec_path} { include include + include include - include - include include - include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 45b2ccfb..aa95a00d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -58,7 +58,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/* r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 4ac89176..e2a9ae51 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/gsettings -profile gsettings @{exec_path} { +profile gsettings @{exec_path} flags=(attach_disconnected) { include + include include include @@ -22,8 +23,6 @@ profile gsettings @{exec_path} { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome deleted file mode 100644 index 3a1e504a..00000000 --- a/apparmor.d/profiles-g-l/jami-gnome +++ /dev/null @@ -1,61 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/jami-gnome -profile jami-gnome @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - - /usr/share/ring/{,**} r, - /usr/share/sounds/jami-gnome/{,**} r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/jami-gnome/ rw, - owner @{user_cache_dirs}/jami-gnome/** rw, - - owner @{user_share_dirs}/jami/ rw, - owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/, - - owner @{user_config_dirs}/autostart/jami-gnome.desktop w, - - owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, - - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/** r, - - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/smaps r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/zoneinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 4e64e5fb..c0aafeaf 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -26,9 +26,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /etc/passim.conf r, - /var/lib/passim/{,**} r, - /var/lib/passim/data/{,**} rw, - + owner /var/lib/passim/{,**} rw, owner /var/log/passim/* rw, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 2a7b6303..5da955cb 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -28,7 +28,7 @@ profile pidof @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - owner /dev/tty@{int} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 1e674823..b2074ba0 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -21,15 +21,9 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - ptrace (read), + ptrace read, - signal (send,receive) peer=cockpit-bridge, - signal (send) peer=@{p_systemd}, - signal (send) set=(cont,hup,winch) peer=su, - signal (send) set=(winch) peer=child-pager, - signal (send) set=(winch) peer=journalctl, - signal (send) set=(winch) peer=pacman, - signal (send) set=(winch, hup, term) peer=rpm, + signal send set=(winch, hup, term), @{bin}/@{shells} rUx, @{lib}/** PUx, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 9155adf8..909112a7 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -48,6 +48,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, + mount fstype=vfat -> /boot/efi/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, @@ -56,6 +58,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, + umount /boot/efi/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index bce23698..0a67b365 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -89,6 +89,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, From 044f80b1db20869b3bf264bd4b86d3986233a954 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:59:06 +0000 Subject: [PATCH 62/64] feat(tunable): unify some XDG and user dirs varibale name. --- apparmor.d/abstractions/deny-sensitive-home | 2 +- apparmor.d/groups/virt/virtiofsd | 6 +- apparmor.d/profiles-a-f/browserpass | 4 +- apparmor.d/profiles-g-l/keepassxc | 8 +- apparmor.d/profiles-m-r/pass | 12 +-- apparmor.d/profiles-m-r/pass-import | 2 +- .../profiles-m-r/protonmail-bridge-core | 16 ++-- apparmor.d/tunables/home.d/apparmor.d | 78 ++++++++++--------- .../tunables/xdg-user-dirs.d/apparmor.d | 8 +- docs/configuration.md | 4 +- docs/variables.md | 6 +- 11 files changed, 77 insertions(+), 69 deletions(-) diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 4291762a..68c013a5 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -34,7 +34,7 @@ deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, deny @{run}/user/@{uid}/keyring** mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl, - deny @{user_password_store_dirs}/{,**} mrwkl, + deny @{user_passwordstore_dirs}/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl, # Privacy violations diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 905e2c17..899ecae0 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -31,13 +31,13 @@ profile virtiofsd @{exec_path} { mount options=(rw, rbind) -> @{user_publicshare_dirs}/, mount options=(rw, rbind) -> @{user_vm_dirs}/, - mount options=(rw, rbind) -> @{user_vm_shares}/, + mount options=(rw, rbind) -> @{user_vmshare_dirs}/, umount /, pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, pivot_root @{user_vm_dirs}/, - pivot_root @{user_vm_shares}/, + pivot_root @{user_vmshare_dirs}/, signal (receive) set=term peer=libvirtd, @@ -50,7 +50,7 @@ profile virtiofsd @{exec_path} { @{user_publicshare_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - @{user_vm_shares}/{,**} r, + @{user_vmshare_dirs}/{,**} r, owner @{run}/libvirt/qemu/*.pid rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 86da0e6a..272000f3 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -48,8 +48,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/*-store/ rw, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index d2dee61a..de95d3c9 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -48,10 +48,10 @@ profile keepassxc @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/*.csv rw, - owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, - owner @{user_password_store_dirs}/#@{int} rw, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/*.csv rw, + owner @{user_passwordstore_dirs}/*.kdbx* rwl -> @{user_passwordstore_dirs}/#@{int}, + owner @{user_passwordstore_dirs}/#@{int} rw, owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 0736f98c..fe06a346 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -59,7 +59,7 @@ profile pass @{exec_path} { /usr/share/terminfo/** r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner /dev/shm/pass.@{rand}/{,*} rw, @{sys}/devices/system/node/ r, @@ -88,7 +88,7 @@ profile pass @{exec_path} { /tmp/ r, - owner @{user_password_store_dirs}/{,**/} r, + owner @{user_passwordstore_dirs}/{,**/} r, owner /dev/shm/pass.@{rand}/{,*} rw, @@ -120,8 +120,8 @@ profile pass @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw, @@ -142,8 +142,8 @@ profile pass @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index bb2bc910..4977bb51 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -33,7 +33,7 @@ profile pass-import @{exec_path} { /usr/share/file/misc/magic.mgc r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner @{tmp}/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 4de73d71..da0c5f78 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -5,7 +5,7 @@ # To force the use of the Gnome Keyring or Kwallet secret-service, add the # following lines in your local/protonmail-bridge-core file: # deny @{bin}/pass x, -# deny owner @{user_password_store_dirs}/** r, +# deny owner @{user_passwordstore_dirs}/** r, abi , @@ -30,8 +30,8 @@ profile protonmail-bridge-core @{exec_path} { /etc/lsb-release r, /etc/machine-id r, - owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, owner @{user_cache_dirs}/protonmail/{,**} rwk, owner @{user_config_dirs}/protonmail/{,**} rwk, @@ -48,7 +48,7 @@ profile protonmail-bridge-core @{exec_path} { @{PROC}/sys/net/core/somaxconn r, deny @{bin}/pass x, - deny owner @{user_password_store_dirs}/** r, + deny owner @{user_passwordstore_dirs}/** r, profile pass { include @@ -72,10 +72,10 @@ profile protonmail-bridge-core @{exec_path} { @{bin}/tty rix, @{bin}/which rix, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/.gpg-id r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_password_store_dirs}/**/ r, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_passwordstore_dirs}/**/ r, /dev/tty rw, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index f1be9acb..c791f537 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -11,30 +11,7 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d -# Extra user personal directories -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" -@{XDG_BOOKS_DIR}="Books" -@{XDG_GAMES_DIR}=".games" -@{XDG_PROJECTS_DIR}="Projects" -@{XDG_WORK_DIR}="Work" -@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" -@{XDG_SYNC_DIR}="Sync" -@{XDG_TORRENTS_DIR}="Torrents" -@{XDG_VM_DIR}=".vm" -@{XDG_VM_SHARES_DIR}="VM_Shares" -@{XDG_IMG_DIR}="images" -@{XDG_GAMESSTUDIO_DIR}="unity3d" - -# User personal keyrings -@{XDG_GPG_DIR}=".gnupg" -@{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORD_STORE_DIR}=".password-store" - -# User personal private directories -@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" - -# Definition of local user configuration directories +# Define the XDG Base Directory @{XDG_CACHE_DIR}=".cache" @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @@ -42,28 +19,59 @@ @{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" -# Full path of the user configuration directories +# Define extended user directories not defined in the XDG standard but commonly +# used in profiles +@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" +@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_BOOKS_DIR}="Books" +@{XDG_GAMES_DIR}="Games" +@{XDG_PROJECTS_DIR}="Projects" +@{XDG_WORK_DIR}="Work" +@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" +@{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" +@{XDG_GAMESSTUDIO_DIR}="unity3d" + +# Define user directories for virtual machines, shared folders and disk images +@{XDG_VM_DIR}=".vm" +@{XDG_VMSHARE_DIR}=".vmshare" +@{XDG_IMG_DIR}=".img" + +# Define user build directories and artifacts output +@{XDG_BUILD_DIR}=".build" +@{XDG_PKG_DIR}=".pkg" + +# Define user personal keyrings +@{XDG_GPG_DIR}=".gnupg" +@{XDG_SSH_DIR}=".ssh" +@{XDG_PASSWORDSTORE_DIR}=".password-store" + +# Define user personal private directories +@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" + +# Full path of the XDG Base Directory @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} - -# User build directories and output -@{user_build_dirs}="/tmp/build/" -@{user_pkg_dirs}="/tmp/pkg/" -@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} -@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} @{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} -@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} -@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} +@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} +@{user_vmshare_dirs}=@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR} +@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} +@{user_build_dirs}=@{HOME}/@{XDG_BUILD_DIR} @{MOUNTS}/@{XDG_BUILD_DIR} +@{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} +@{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} +@{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} +@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 00231cbc..52be8b92 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -14,14 +14,14 @@ @{XDG_DOWNLOAD_DIR}+=".tb/tor-browser/Browser/Downloads" # Other user directories -@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_desktop_dirs}=@{HOME}/@{XDG_DESKTOP_DIR} @{MOUNTS}/@{XDG_DESKTOP_DIR} @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} +@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} @{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} -@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} -@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists diff --git a/docs/configuration.md b/docs/configuration.md index e3fbba5e..c3017c28 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -143,7 +143,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | - | Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | + | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -152,7 +152,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | - | Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | + | Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | diff --git a/docs/variables.md b/docs/variables.md index ef2533c0..7dc8e5ff 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -29,7 +29,7 @@ title: Variables References | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Vm | `@{XDG_VM_DIR}` | `.vm` | -| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | +| Vm Shares | `@{XDG_VMSHARE_DIR}` | `VM_Shares` | | Disk images | `@{XDG_IMG_DIR}` | `images` | | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | @@ -85,7 +85,7 @@ title: Variables References | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | -| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -94,7 +94,7 @@ title: Variables References | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | -| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | +| Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | From 8efdc5d8e3fc0161bb49207f6e6a169004cc11ad Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 21 Nov 2024 14:12:02 -0700 Subject: [PATCH 63/64] Add profile for iftop (#604) * Add profile for iftop * iftop: clean up formatting --- apparmor.d/profiles-g-l/iftop | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/profiles-g-l/iftop diff --git a/apparmor.d/profiles-g-l/iftop b/apparmor.d/profiles-g-l/iftop new file mode 100644 index 00000000..232aff53 --- /dev/null +++ b/apparmor.d/profiles-g-l/iftop @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/iftop +profile iftop @{exec_path} { + include + include + include + + capability net_raw, + + network inet dgram, + network inet6 dgram, + network netlink raw, + network packet raw, + + @{exec_path} mr, + + /usr/share/terminfo/** r, + + owner @{HOME}/.iftoprc r, + + # When running in promiscuous mode + @{sys}/devices/**/net/*/statistics/* r, + + include if exists +} + +# vim:syntax=apparmor From 7acd9079a267cb5ff9f3f5d0e272ff55bc1a5e2d Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 18:44:18 +0100 Subject: [PATCH 64/64] add more lxqt files (#600) * Create abstraction for lxqt desktop group first file for the LXQT 2.0 desktop group * Update lxqt * xdg-desktop abstraction added * removing tabs * Create startlxqt starter file for LXQT Desktop * Create startlxqt * fixing startlxqt I use sddm as display manager I cant remove the other file - only use graphical env., sorry After startlxqt i would add 2 lines to sddm to enable the start of LXQT desktop * Delete apparmor.d/profiles-s-z/startlxqt * indented by 2 spaces (like other entries) * Update sddm Enable sddm to start an lxqt desktop session * Create lxqt-session lxqt-session to be started by startlxqt. Display manager: sddm * Update lxqt-session * Update lxqt-session * removed trailing whitespace * Update kscreen_backend_launcher to support lxqt desktop is needed for several complaints: DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r * Update lxqt-session * Create lxqt-panel * Update lxqt-panel * Update lxqt-panel * Update lxqt-panel * fix conflicting x * Update lxqt-panel add child-open * remove include you think its too permissive to have app-launcher-user here, right? * Update lxqt-panel add needed programs * Update lxqt-panel turning back to layout of corresponding xfce file. * Create lxqt-globalkeysd * Create lxqt-about * Create lxqt-leave * Create lxqt-runner * Update lxqt-leave * Update lxqt-runner * Update lxqt-globalkeysd * remove video in lxqt-about * Update lxqt-about * Update lxqt-runner * remove abstr. in lxqt-globalkeysd * remove abstr. in lxqt-runner * remove abstr. in lxqt-leave --- apparmor.d/groups/lxqt/lxqt-about | 28 +++++++++++++++++ apparmor.d/groups/lxqt/lxqt-globalkeysd | 40 +++++++++++++++++++++++++ apparmor.d/groups/lxqt/lxqt-leave | 24 +++++++++++++++ apparmor.d/groups/lxqt/lxqt-runner | 34 +++++++++++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-about create mode 100644 apparmor.d/groups/lxqt/lxqt-globalkeysd create mode 100644 apparmor.d/groups/lxqt/lxqt-leave create mode 100644 apparmor.d/groups/lxqt/lxqt-runner diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about new file mode 100644 index 00000000..8f583045 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-about +profile lxqt-about @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd new file mode 100644 index 00000000..8729b1ab --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-globalkeysd +profile lxqt-globalkeysd @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + @{bin}/screengrab rPx, + @{bin}/lxqt-config-brightness rPx, + + /usr/share/lxqt/globalkeyshortcuts.conf rw, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, + owner @{user_config_dirs}/lxqt/#@{int} wr, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave new file mode 100644 index 00000000..e76d81f5 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-leave +profile lxqt-leave @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner new file mode 100644 index 00000000..9477c1bd --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-runner +profile lxqt-runner @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/icons/ r, + /usr/share/desktop-directories/ r, + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor