diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 3b024f80..d16ce65e 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_tty_config, signal (receive) set=term peer=gdm, + signal (receive) set=hup peer=@{systemd}, signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=dbus-run-session, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 55695aee..123a899f 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -34,6 +34,7 @@ profile gnome-software @{exec_path} { @{exec_path} mr, + @{bin}/baobab rPUx, @{bin}/bwrap rPUx, @{bin}/fusermount{,3} rCx -> fusermount, @{bin}/gpg{,2} rCx -> gpg, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 63148ea6..7c170612 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -27,7 +27,8 @@ profile mutter-x11-frames @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /var/lib/gdm/.config/dconf/user r, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 53c7474e..25012770 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -104,6 +104,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab r, @{run}/mount/utab r, + @{PROC}/@{pid}/cmdline r, @{PROC}/sys/fs/fanotify/max_user_marks r, @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 46c5ec72..7c58d497 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -25,6 +25,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted mount -> /, + ptrace (read), + @{exec_path} mr, @{lib}/** r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 4899546a..68d002c6 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -27,6 +27,8 @@ profile systemd-journald @{exec_path} { network netlink raw, + ptrace (read), + @{exec_path} mr, /etc/systemd/journald.conf r, diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled index f3d90068..a5d5f76e 100644 --- a/apparmor.d/groups/systemd/systemd-portabled +++ b/apparmor.d/groups/systemd/systemd-portabled @@ -13,16 +13,9 @@ profile systemd-portabled @{exec_path} { capability sys_ptrace, - ptrace (read) peer=unconfined, - @{exec_path} mr, /var/lib/portables/{,**} rw, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index b353dbea..d8c217c0 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -14,6 +14,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { audit capability net_admin, + signal (receive) set=(term cont) peer=default, signal (receive) set=(term cont) peer=logrotate, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index 548c5242..b8c1b217 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -1,17 +1,17 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-20223 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{lib}/blueman-mechanism -@{exec_path} += @{lib}/blueman/blueman-mechanism +@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include - include include + include capability mknod, capability net_admin, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index b667f348..aefabbac 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/borg profile borg @{exec_path} { include + include include capability dac_read_search, @@ -20,6 +21,11 @@ profile borg @{exec_path} { network inet6 dgram, network netlink raw, + mount fstype=fuse -> @{MOUNTS}/, + mount fstype=fuse -> @{MOUNTS}/*/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + @{exec_path} r, @{bin}/ r, @@ -30,42 +36,10 @@ profile borg @{exec_path} { @{bin}/ldconfig rix, @{bin}/uname rix, - @{bin}/pass rPUx, - @{bin}/ssh rPx, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, - - mount fstype=fuse -> @{MOUNTS}/, - mount fstype=fuse -> @{MOUNTS}/*/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - - /dev/fuse rw, - - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/sys/kernel/random/boot_id r, - - @{run}/systemd/userdb/ r, - @{run}/resolvconf/resolv.conf r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/borg/ rw, - owner @{user_cache_dirs}/borg/** rw, - - owner @{user_config_dirs}/borg/ rw, - owner @{user_config_dirs}/borg/** rw, - - # If /tmp/ isn't accessible, then /var/tmp/ is used. - owner /tmp/* rw, - owner /tmp/tmp*/ rw, - owner /tmp/tmp*/idx rw, - owner /tmp/tmp*/file rw, - owner /tmp/borg-cache-*/ rw, - owner /tmp/borg-cache-*/* rw, - owner /var/tmp/* rw, - owner /var/tmp/tmp*/ rw, - owner /var/tmp/tmp*/idx rw, - owner /var/tmp/tmp*/file rw, + @{bin}/pass rPx, + @{bin}/ssh rPx, # Dirs that can be backed up / r, @@ -80,13 +54,28 @@ profile borg @{exec_path} { owner @{MOUNTS}/ r, owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**, - # borg serve on server's side - owner /home/borg/*/ rw, - owner /home/borg/*/{,**} rw, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/borg/ rw, + owner @{user_cache_dirs}/borg/** rw, - # For exporting the key - owner /**/key w, + owner @{user_config_dirs}/borg/ rw, + owner @{user_config_dirs}/borg/** rw, + # If /tmp/ isn't accessible, then /var/tmp/ is used. + owner /tmp/* rw, + owner /tmp/borg-cache-*/ rw, + owner /tmp/borg-cache-*/* rw, + owner /tmp/tmp*/ rw, + owner /tmp/tmp*/file rw, + owner /tmp/tmp*/idx rw, + owner /var/tmp/* rw, + owner /var/tmp/tmp*/ rw, + owner /var/tmp/tmp*/file rw, + owner /var/tmp/tmp*/idx rw, + + owner @{PROC}/@{pid}/fd/ r, + + /dev/fuse rw, profile ccache { include @@ -97,29 +86,31 @@ profile borg @{exec_path} { @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}g++-[0-9]* rix, - /media/ccache/*/** rw, - /etc/debian_version r, + @{MOUNTS}/** rw, + + include if exists } profile fusermount { include include - # To mount anything: capability sys_admin, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + @{bin}/fusermount{,3} mr, /etc/fuse.conf r, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - @{PROC}/@{pids}/mounts r, /dev/fuse rw, + + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index 03d4040d..ee105584 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -16,6 +16,9 @@ profile cups-pk-helper-mechanism @{exec_path} { capability dac_read_search, capability sys_nice, + network inet stream, + network inet6 stream, + dbus receive bus=system path=/ interface=org.opensuse.CupsPkHelper.Mechanism, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 27d0ebb1..cdc55c3b 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/language-tools/language-{options,validate} -profile language-validate @{exec_path} { +profile language-validate @{exec_path} flags=(attach_disconnected) { include capability setgid, diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/profiles-m-r/netcap index b739732d..fbb36744 100644 --- a/apparmor.d/profiles-m-r/netcap +++ b/apparmor.d/profiles-m-r/netcap @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,9 +14,6 @@ profile netcap @{exec_path} { include capability sys_ptrace, - - # To get access to all of the @{PROC}/@{pids}/fd/ dirs, which sometimes can be owned by other - # users than root, for instance systemd-timesync. capability dac_read_search, ptrace (read), diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 5490c5e1..e247f882 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -20,7 +20,7 @@ profile pactl @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - /var/lib/gdm/.config/pulse/cookie rk, + /var/lib/gdm{3,}/.config/pulse/cookie rk, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-r/redshift b/apparmor.d/profiles-m-r/redshift deleted file mode 100644 index 51a0a492..00000000 --- a/apparmor.d/profiles-m-r/redshift +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015 Cameron Norman -# Copyright (C) 2017-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/redshift -profile redshift @{exec_path} { - include - include - include - - @{exec_path} mr, - - dbus send - bus=system - path=/org/freedesktop/GeoClue2/Client/@{int}, - - dbus receive - bus=system - path=/org/freedesktop/GeoClue2/Manager, - - # Allow but log any other dbus activity - audit dbus bus=system, - - # Redshift config files - owner @{user_config_dirs}/redshift/{,**} rw, - owner @{user_config_dirs}/redshift.conf rw, - - owner @{run}/user/@{uid}/redshift-shared-* rw, - - owner @{HOME}/.Xauthority r, - owner /tmp/xauth-[0-9]*-_[0-9] r, - - # file_inherit - owner /dev/tty@{int} rw, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 8cbd0850..fa041e79 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -20,6 +20,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability fsetid, + capability net_admin, capability setgid, capability setuid, capability sys_admin,