update apparmor profiles

apparmor.d/abstractions/gtk

@@ -15,7 +15,9 @@
 
   /usr/share/gtk-3.0/settings.ini r,
 
+  /etc/gtk-2.0/ r,
   /etc/gtk-2.0/gtkrc r,
+  /etc/gtk-3.0/ r,
   /etc/gtk-3.0/*.conf r,
 
   /etc/gtk/gtkrc r,
@@ -26,13 +28,13 @@
   owner @{HOME}/.gtk-bookmarks r,
   owner @{HOME}/.config/gtkrc r,
   owner @{HOME}/.config/gtkrc-2.0 r,
-  owner @{HOME}/.config/gtk-3.0/ w,
+  owner @{HOME}/.config/gtk-3.0/ rw,
   owner @{HOME}/.config/gtk-3.0/settings.ini r,
   owner @{HOME}/.config/gtk-3.0/bookmarks r,
   owner @{HOME}/.config/gtk-3.0/gtk.css r,
 
   # for gtk file dialog
-  owner @{HOME}/.config/gtk-2.0/ w,
+  owner @{HOME}/.config/gtk-2.0/ rw,
   owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
 
   # .Xauthority file required for X connections

apparmor.d/borg

@@ -0,0 +1,99 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#abi <abi/3.0>,
+
+#include <tunables/global>
+
+@{BACKUP_DIR} = /media/Arti/backup-*
+
+@{exec_path} = /{usr/,}bin/borg
+profile borg @{exec_path} {
+  #include <abstractions/base>
+  #include <abstractions/python>
+
+  # For reading files of other users as root
+  capability dac_read_search,
+
+  # Needed to mount backup files
+  capability sys_admin,
+
+  #
+  capability fowner,
+
+  @{exec_path} r,
+  /{usr/,}bin/python3.[0-9]* r,
+
+  /usr/bin/uname                     rix,
+  /usr/sbin/ldconfig                 rix,
+  /{usr/,}bin/{,@{multiarch}-}ld.bfd rix,
+
+  /{usr/,}bin/ccache                 rCx -> ccache,
+
+  /usr/bin/fusermount{,3}            rPx,
+
+  mount fstype=fuse -> /media/*/,
+  umount /media/*/,
+
+  /dev/fuse rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+
+  owner @{HOME}/.cache/ rw,
+  owner @{HOME}/.cache/borg/ rw,
+  owner @{HOME}/.cache/borg/** rw,
+
+  owner @{HOME}/.config/borg/ rw,
+  owner @{HOME}/.config/borg/** rw,
+
+  # If /tmp/ isn't accessible, then /var/tmp/ is used.
+  owner /tmp/* rw,
+  owner /tmp/tmp*/ rw,
+  owner /tmp/tmp*/idx rw,
+  owner /var/tmp/* rw,
+  owner /var/tmp/tmp*/ rw,
+  owner /var/tmp/tmp*/idx rw,
+
+  # Dirs that can be backed up
+  /            r,
+  /boot/{,**}  r,
+  /efi/{,**}   r,
+  /etc/{,**}   r,
+  /home/{,**}  r,
+  /media/{,**} r,
+  /mnt/{,**}   r,
+  /opt/{,**}   r,
+  /root/{,**}  r,
+  /srv/{,**}   r,
+  /usr/{,**}   r,
+  /var/{,**}   r,
+
+  # The backup dirs
+  owner @{BACKUP_DIR}/ r,
+  owner @{BACKUP_DIR}/** rwkl -> @{BACKUP_DIR}/**,
+
+  # For exporting the key
+  owner /**/key w,
+
+
+  profile ccache {
+    #include <abstractions/base>
+
+    /{usr/,}bin/ccache mr,
+
+    /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
+
+    /media/ccache/*/** rw,
+
+  }
+
+  #include if exists <local/borg>
+}

apparmor.d/cron

@@ -51,6 +51,7 @@ profile cron @{exec_path} {
   /usr/share/rsync/scripts/rrsync      rPUx,
   /{usr/,}bin/gpg                       rPx,
   /{usr/,}sbin/update-pciids            rPx,
+  /{usr/,}bin/borg                      rPx,
 
   # Cron scripts in the /etc/cron.*/ dir to execute
   /{usr/,}bin/run-parts                 rCx -> run-parts,

apparmor.d/exo-compose-mail

@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#abi <abi/3.0>,
+
+#include <tunables/global>
+
+@{exec_path} = /usr/share/xfce4/exo/exo-compose-mail
+profile exo-compose-mail @{exec_path} {
+  #include <abstractions/base>
+  #include <abstractions/perl>
+
+  @{exec_path} r,
+  /{usr/,}bin/perl r,
+
+  # Mail clients
+  /usr/bin/thunderbird                    rPx,
+  /{usr/,}lib/thunderbird/thunderbird     rPx,
+  /{usr/,}lib/thunderbird/thunderbird-bin rPx,
+
+  #include if exists <local/exo-compose-mail>
+}

apparmor.d/firefox

@@ -111,10 +111,10 @@ profile firefox @{exec_path} {
   deny owner @{PROC}/@{pid}/statm r,
   deny owner @{PROC}/@{pid}/smaps r,
   # Link Monitor (since 49.0.1)
-  deny       @{PROC}/@{pid}/net/arp r,
-  deny       @{PROC}/@{pid}/net/route r,
+             @{PROC}/@{pid}/net/arp r,
+             @{PROC}/@{pid}/net/route r,
   #
-  deny       @{PROC}/@{pid}/net/if_inet6 r,
+             @{PROC}/@{pid}/net/if_inet6 r,
 
   /etc/mime.types r,
   /etc/mailcap r,
@@ -204,6 +204,7 @@ profile firefox @{exec_path} {
     /{usr/,}bin/telegram-desktop rPx,
     /{usr/,}bin/spacefm          rPx,
     /{usr/,}bin/qpdfview         rPx,
+    /{usr/,}share/xfce4/exo/exo-compose-mail rPx,
 
     # file_inherit
     owner @{HOME}/.xsession-errors w,

apparmor.d/freetube

@@ -13,9 +13,12 @@
 
 #include <tunables/global>
 
-@{FT_LIBDIR} = /{usr/,}lib/freetube /opt/FreeTube
+@{FT_LIBDIR} =  /{usr/,}lib/freetube
+@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
+@{FT_LIBDIR} += /opt/FreeTube
+@{FT_LIBDIR} += /opt/FreeTube-Vue
 
-@{exec_path} = @{FT_LIBDIR}/freetube
+@{exec_path} = @{FT_LIBDIR}/freetube{,-vue}
 profile freetube @{exec_path} {
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -40,10 +43,6 @@ profile freetube @{exec_path} {
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/uid_map w,
 
-  # Needed?
-  #deny capability sys_ptrace,
-  #ptrace (read) peer=xdg-open,
-
   @{exec_path} mrix,
 
   @{FT_LIBDIR}/ r,
@@ -72,23 +71,26 @@ profile freetube @{exec_path} {
   #          freetube[56499b8a8000+531e000]
              @{PROC}/ r,
        owner @{PROC}/@{pid}/fd/ r,
+  #          @{PROC}/@{pid}/fd/ r,
              @{PROC}/@{pids}/task/ r,
   deny owner @{PROC}/@{pids}/task/@{tid}/status r,
+  #          @{PROC}/@{pids}/task/@{tid}/status r,
   deny       @{PROC}/@{pids}/stat r,
+  deny owner @{PROC}/@{pids}/statm r,
+  deny owner @{PROC}/@{pid}/cmdline r,
+       owner @{PROC}/@{pids}/oom_{,score_}adj r,
+  deny owner @{PROC}/@{pids}/oom_{,score_}adj w,
        owner @{PROC}/@{pid}/mountinfo r,
        owner @{PROC}/@{pid}/mounts r,
              @{PROC}/sys/kernel/yama/ptrace_scope r,
   deny       @{PROC}/vmstat r,
              @{PROC}/sys/fs/inotify/max_user_watches r,
-
- # The following are needed for View -> Developer Tools
-             @{PROC}/@{pid}/fd/ r,
-  deny       @{PROC}/@{pids}/task/@{tid}/status r,
-
   /etc/fstab r,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
+  owner @{HOME}/.local/share r,
+
   deny @{sys}/devices/virtual/tty/tty0/active r,
   deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
   # To remove the following error:
@@ -104,12 +106,12 @@ profile freetube @{exec_path} {
   /etc/machine-id r,
 
   # no new privs
-  /{usr/,}bin/xdg-settings rPUx,
+  /{usr/,}bin/xdg-settings    rPx,
 
-  /{usr/,}bin/xdg-open      rCx -> open,
+  /{usr/,}bin/xdg-open        rCx -> open,
 
   # Allowed apps to open
-  /{usr/,}lib/firefox/firefox rPUx,
+  /{usr/,}lib/firefox/firefox rPx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
@@ -122,7 +124,7 @@ profile freetube @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     # Allowed apps to open
-    /{usr/,}lib/firefox/firefox rPUx,
+    /{usr/,}lib/firefox/firefox rPx,
 
     # file_inherit
     owner @{HOME}/.xsession-errors w,

apparmor.d/freetube-chrome-sandbox

@@ -13,7 +13,10 @@
 
 #include <tunables/global>
 
-@{FT_LIBDIR} = /{usr/,}lib/freetube /opt/FreeTube
+@{FT_LIBDIR} =  /{usr/,}lib/freetube
+@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
+@{FT_LIBDIR} += /opt/FreeTube
+@{FT_LIBDIR} += /opt/FreeTube-Vue
 
 @{exec_path} = @{FT_LIBDIR}/chrome-sandbox
 profile freetube-chrome-sandbox @{exec_path} {
@@ -29,11 +32,11 @@ profile freetube-chrome-sandbox @{exec_path} {
   @{exec_path} mr,
 
   # Has to be lower "P"
-  @{FT_LIBDIR}/freetube rpx,
+  @{FT_LIBDIR}/freetube{,-vue} rpx,
 
-  # The following is needed for View -> Developer Tools
              @{PROC}/@{pids}/ r,
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+       owner @{PROC}/@{pid}/oom_{,score_}adj r,
+  deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
 
   #include if exists <local/freetube-chrome-sandbox>
 }

apparmor.d/fusermount

@@ -37,11 +37,15 @@ profile fusermount @{exec_path} {
   mount fstype={fuse,fuse.*} -> /home/*/*/,
   mount fstype={fuse,fuse.*} -> /home/*/*/*/,
   mount fstype={fuse,fuse.*} -> /home/*/.cache/**/,
+  mount fstype={fuse,fuse.*} -> /media/*/,
+  # For MTP
+  mount                      -> /,
 
   # Be able to unmount the ISO images
   umount /home/*/*/,
   umount /home/*/*/*/,
   umount /home/*/.cache/**/,
+  umount /media/*/,
 
   # Image files to be mounted
   owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,

apparmor.d/geany

@@ -46,6 +46,8 @@ profile geany @{exec_path} {
   deny /{usr/,}bin/dbus-send   rx,
 
   owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
 
   /usr/share/geany/{,**} r,
 

apparmor.d/kconfig-hardened-check

@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#abi <abi/3.0>,
+
+#include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/kconfig-hardened-check
+profile kconfig-hardened-check @{exec_path} {
+  #include <abstractions/base>
+  #include <abstractions/python>
+
+  @{exec_path} r,
+  /{usr/,}bin/python3.[0-9]* r,
+
+  /{usr/,}bin/ r,
+
+  /boot/config-* r,
+  @{PROC}/config.gz r,
+
+  #include if exists <local/kconfig-hardened-check>
+}

apparmor.d/pavucontrol

@@ -29,6 +29,7 @@ profile pavucontrol @{exec_path} {
   /usr/share/pavucontrol/pavucontrol.glade r,
 
   # Pavucontrol config files
+  owner @{HOME}/.config/ r,
   owner @{HOME}/.config/pavucontrol.ini* rw,
 
   /var/lib/dbus/machine-id r,

apparmor.d/thunderbird

@@ -20,7 +20,8 @@
 @{MOZ_HOMEDIR} = @{HOME}/.thunderbird
 @{MOZ_CACHEDIR} = @{HOME}/.cache/thunderbird
 
-@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin} /{usr/,}bin/thunderbird
+@{exec_path}  = @{MOZ_LIBDIR}/thunderbird{,-bin}
+@{exec_path} += /{usr/,}bin/thunderbird
 profile thunderbird @{exec_path} {
   #include <abstractions/base>
   #include <abstractions/consoles>

apparmor.d/update-pciids

@@ -19,7 +19,7 @@ profile update-pciids @{exec_path} {
   #include <abstractions/consoles>
 
   @{exec_path} r,
-  /{usr/,}bin/dash rix,
+  /{usr/,}bin/dash     rix,
 
   /{usr/,}bin/touch    rix,
   /{usr/,}bin/rm       rix,
@@ -37,9 +37,9 @@ profile update-pciids @{exec_path} {
   /{usr/,}bin/ln       rix,
   /{usr/,}bin/zgrep    rix,
 
-  /{usr/,}bin/wget    rCx -> browse,
-  /{usr/,}bin/curl    rCx -> browse,
-  /{usr/,}bin/lynx    rCx -> browse,
+  /{usr/,}bin/wget     rCx -> browse,
+  /{usr/,}bin/curl     rCx -> browse,
+  /{usr/,}bin/lynx     rCx -> browse,
 
   /usr/share/misc/ r,
   /usr/share/misc/* rwl -> /usr/share/misc/*,

apparmor.d/xinit

@@ -41,6 +41,7 @@ profile xinit @{exec_path} {
   /{usr/,}bin/head     rix,
   /{usr/,}bin/gawk     rix,
   /{usr/,}bin/id       rix,
+  /{usr/,}bin/tail     rix,
 
   /{usr/,}bin/dbus-update-activation-environment rix,