From 2cc4d69e9e940cd458745906f8c45b374933747b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 9 Nov 2021 21:49:16 +0000 Subject: [PATCH] Update profiles. --- .../groups/gnome/gnome-disk-image-mounter | 1 + apparmor.d/groups/gnome/gnome-shell | 6 ++-- apparmor.d/groups/gnome/gsd-power | 1 + apparmor.d/groups/systemd/systemd-binfmt | 8 +++++ .../groups/systemd/systemd-modules-load | 4 --- apparmor.d/profiles-a-f/fusermount | 9 ++--- apparmor.d/profiles-m-r/mono-sgen | 35 +++++++++++++++++++ apparmor.d/profiles-s-z/udisksd | 1 + 8 files changed, 53 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index a9a4de09..87a32689 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 236b98a1..143d8660 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -31,10 +31,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { ptrace (read), signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(kill) peer=unconfined, - signal (send) set=(term) peer=polkit*, - signal (send) set=(term) peer=xwayland, - signal (send) set=(usr1) peer=ibus-daemon, + signal (send), @{exec_path} mr, @@ -87,6 +84,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/libgweather/{,**} r, owner @{user_cache_dirs}/media-art/{,**} r, + owner @{user_cache_dirs}/vlc/**/*.jpg r, include owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d623c19d..5a77c0b1 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -60,6 +60,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gdm/Xauthority r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 975478c6..196655f3 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -10,6 +10,10 @@ include profile systemd-binfmt @{exec_path} { include + capability net_admin, + + ptrace (read) peer=unconfined, + @{exec_path} mr, # Config file locations @@ -18,6 +22,10 @@ profile systemd-binfmt @{exec_path} { /usr/lib/binfmt.d/*.conf r, owner @{PROC}/@{pid}/stat r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/fs/binfmt_misc/status w, + @{PROC}/sys/kernel/osrelease r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 02fdb10d..3329a865 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -11,12 +11,8 @@ profile systemd-modules-load @{exec_path} { include include - # To load kernel modules capability sys_module, - # Needed? - audit deny capability net_admin, - @{exec_path} mr, @{sys}/module/*/initstate r, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 7871b04b..3fbdd22e 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,18 +12,16 @@ profile fusermount @{exec_path} { include include - # To mount anything: - # fusermount: mount failed: Operation not permitted + capability dac_read_search, capability sys_admin, - #capability dac_read_search, - @{exec_path} mr, # Where to mount ISO files owner @{HOME}/*/ rw, owner @{HOME}/*/*/ rw, owner @{user_cache_dirs}/**/ rw, + owner @{run}/user/@{uid}/doc/ r, # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, @@ -30,6 +29,7 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/, mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/, mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/, + mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/doc/, umount @{HOME}/*/, umount @{HOME}/*/*/, @@ -37,6 +37,7 @@ profile fusermount @{exec_path} { umount @{MOUNTS}/*/, umount @{MOUNTS}/*/*/, umount /tmp/.mount_*/, + umount @{run}/user/@{uid}/doc/, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index c1a13b13..7b9b433a 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -9,13 +9,48 @@ include @{exec_path} = /{usr/,}bin/mono-sgen profile mono-sgen @{exec_path} { include + include + include + include + include + include + include include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, @{exec_path} mr, + /{usr/,}bin/ r, + /{usr/,}local/bin/ r, + /{usr/,}bin/* rPUx, + /usr/share/.mono/{,**} rw, /etc/mono/{,**} r, + /etc/machine-id r, + + owner @{user_config_dirs}/openra/{,**} rw, + owner @{user_config_dirs}/.mono/{,**} r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* rw, + + owner /tmp/*.* rw, + owner /tmp/CASESENSITIVETEST* rw, + owner /dev/shm/mono.* rw, + /dev/shm/ r, + + @{sys}/devices/pci[0-9]*/**/uevent r, + @{sys}/devices/pci[0-9]*/**/vendor r, + @{sys}/devices/pci[0-9]*/**/device r, + @{sys}/devices/pci[0-9]*/**/subsystem_vendor r, + @{sys}/devices/pci[0-9]*/**/subsystem_device r, + + owner @{PROC}/@{pid}/fd/ r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 3914dc44..500dcf91 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -111,6 +111,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w, @{sys}/devices/virtual/block/dm-[0-9]*/ w, @{sys}/devices/virtual/block/dm-[0-9]*/** w, + @{sys}/devices/virtual/block/loop[0-9]*/uevent rw, # For powering off USB devices @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,