diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 523a4d61..a3b8998b 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,7 +26,7 @@ include include include - include + include include # userns, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index f6b80bc2..b79e78ea 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -2,29 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction gives read access on all defined user directories. It should -# only be used if access to **ALL** folders is required. +# Warning: This abstraction gives unrestricted read access on all non hidden user directories. - owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r, - owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/ r, + owner @{MOUNTS}/ r, - owner @{user_books_dirs}/{,**} r, - owner @{user_documents_dirs}/{,**} r, - owner @{user_download_dirs}/{,**} r, - owner @{user_games_dirs}/{,**} r, - owner @{user_music_dirs}/{,**} r, - owner @{user_pictures_dirs}/{,**} r, - owner @{user_projects_dirs}/{,**} r, - owner @{user_publicshare_dirs}/{,**} r, - owner @{user_sync_dirs}/{,**} r, - owner @{user_templates_dirs}/{,**} r, - owner @{user_torrents_dirs}/{,**} r, - owner @{user_videos_dirs}/{,**} r, - owner @{user_vm_dirs}/{,**} r, - owner @{user_work_dirs}/{,**} r, + owner @{HOME}/[^.]** r, + owner @{MOUNTS}/[^.]** r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict new file mode 100644 index 00000000..9eb1262d --- /dev/null +++ b/apparmor.d/abstractions/user-read-strict @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This abstraction gives read access on all defined user directories. It should +# only be used if access to **ALL** folders is required. + + owner @{HOME}/ r, + owner @{MOUNTS}/ r, + + owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, + + owner @{user_books_dirs}/{,**} r, + owner @{user_documents_dirs}/{,**} r, + owner @{user_download_dirs}/{,**} r, + owner @{user_games_dirs}/{,**} r, + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_projects_dirs}/{,**} r, + owner @{user_publicshare_dirs}/{,**} r, + owner @{user_sync_dirs}/{,**} r, + owner @{user_templates_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + owner @{user_vm_dirs}/{,**} r, + owner @{user_work_dirs}/{,**} r, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict new file mode 100644 index 00000000..51fe3e08 --- /dev/null +++ b/apparmor.d/abstractions/user-write-strict @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This abstraction gives write only access on all defined user directories. It should +# only be used if access to **ALL** folders is required. + + owner @{HOME}/ r, + owner @{MOUNTS}/ r, + + owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} wl, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} wl, + owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} wl, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} wl, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} wl, + + owner @{user_books_dirs}/{,**} wl, + owner @{user_documents_dirs}/{,**} wl, + owner @{user_download_dirs}/{,**} wl, + owner @{user_games_dirs}/{,**} wl, + owner @{user_music_dirs}/{,**} wl, + owner @{user_pictures_dirs}/{,**} wl, + owner @{user_projects_dirs}/{,**} wl, + owner @{user_publicshare_dirs}/{,**} wl, + owner @{user_sync_dirs}/{,**} wl, + owner @{user_templates_dirs}/{,**} wl, + owner @{user_torrents_dirs}/{,**} wl, + owner @{user_videos_dirs}/{,**} wl, + owner @{user_vm_dirs}/{,**} wl, + owner @{user_work_dirs}/{,**} wl, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 5bcab6f3..8f73b06e 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -2,15 +2,10 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, +# Warning: This abstraction gives unrestricted write access on all non hidden user directories. - owner @{user_books_dirs}/{,**} rwl, - owner @{user_documents_dirs}/{,**} rwl, - owner @{user_games_dirs}/{,**} rwl, - owner @{user_music_dirs}/{,**} rwl, - owner @{user_pictures_dirs}/{,**} rwl, - owner @{user_projects_dirs}/{,**} rwl, - owner @{user_videos_dirs}/{,**} rwl, - owner @{user_vm_dirs}/{,**} rwl, - owner @{user_work_dirs}/{,**} rwl, + owner @{HOME}/ r, + owner @{MOUNTS}/ r, + + owner @{HOME}/[^.]** wl, + owner @{MOUNTS}/[^.]** wl, diff --git a/apparmor.d/groups/apps/imv-wayland b/apparmor.d/groups/apps/imv-wayland index bd727a31..4186d0d7 100644 --- a/apparmor.d/groups/apps/imv-wayland +++ b/apparmor.d/groups/apps/imv-wayland @@ -13,7 +13,7 @@ profile imv @{exec_path} { include include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 7ae1e17c..ab9fc0f6 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -34,7 +34,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include - include + include # userns, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index cbf29a43..03d3bb35 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -26,7 +26,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include - include + include include unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6c658ddf..bdc95e7e 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -14,6 +14,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include include + include + include signal (send) set=(kill) peer=loupe//bwrap, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index adf3f672..2be51ff5 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -13,7 +13,7 @@ profile gpg @{exec_path} { include include include - include + include capability dac_read_search, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 73cc5671..4e82b0aa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -14,8 +14,8 @@ profile gvfsd-dav @{exec_path} { include include include - include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index ea420285..7516555b 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -14,7 +14,7 @@ profile kactivitymanagerd @{exec_path} { include include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 5bb7f910..fa00bcc1 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -15,8 +15,8 @@ profile okular @{exec_path} { include include include - include - include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index baa5f33a..53bb3851 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -33,7 +33,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { include include include - include + include # userns, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 4729bc3a..3122576c 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -18,8 +18,8 @@ profile evince @{exec_path} { include include include - include - include + include + include # also denies network mounts deny network inet, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 80eef854..66510610 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -15,9 +15,11 @@ profile file-roller @{exec_path} { include include include + include include include - include + include + include #aa:dbus own bus=session name=org.gnome.ArchiveManager1 #aa:dbus own bus=session name=org.gnome.FileRoller diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 0bc43c8e..3b18cb2b 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -13,7 +13,7 @@ profile mutt @{exec_path} { include include include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index b0165538..19f38bc9 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -18,7 +18,7 @@ profile wireshark @{exec_path} { include include include - include + include network inet dgram, network inet6 dgram,