mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profiles): general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-11-22 21:37:09 +00:00
parent a49d83993a
commit 31bc5a6053
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
16 changed files with 56 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apparmor.d/groups/gnome/gdm-session-worker
View File

@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
capability sys_tty_config, capability sys_tty_config,
signal (receive) set=term peer=gdm, signal (receive) set=term peer=gdm,
signal (receive) set=hup peer=@{systemd},
signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=at-spi*,
signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=dbus-daemon,
signal (send) set=hup peer=dbus-run-session, signal (send) set=hup peer=dbus-run-session,

1
apparmor.d/groups/gnome/gnome-software
View File

@ -34,6 +34,7 @@ profile gnome-software @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/baobab rPUx,
@{bin}/bwrap rPUx, @{bin}/bwrap rPUx,
@{bin}/fusermount{,3} rCx -> fusermount, @{bin}/fusermount{,3} rCx -> fusermount,
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,

3
apparmor.d/groups/gnome/mutter-x11-frames
View File

@ -27,7 +27,8 @@ profile mutter-x11-frames @{exec_path} {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm/.config/dconf/user r, /var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,

1
apparmor.d/groups/gnome/tracker-miner
View File

@ -104,6 +104,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
@{run}/blkid/blkid.tab r, @{run}/blkid/blkid.tab r,
@{run}/mount/utab r, @{run}/mount/utab r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/sys/fs/fanotify/max_user_marks r, @{PROC}/sys/fs/fanotify/max_user_marks r,
@{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/groups/systemd/systemd-coredump
View File

@ -25,6 +25,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
mount -> /, mount -> /,
ptrace (read),
@{exec_path} mr, @{exec_path} mr,
@{lib}/** r, @{lib}/** r,

2
apparmor.d/groups/systemd/systemd-journald
View File

@ -27,6 +27,8 @@ profile systemd-journald @{exec_path} {
network netlink raw, network netlink raw,
ptrace (read),
@{exec_path} mr, @{exec_path} mr,
/etc/systemd/journald.conf r, /etc/systemd/journald.conf r,

7
apparmor.d/groups/systemd/systemd-portabled
View File

@ -13,16 +13,9 @@ profile systemd-portabled @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
ptrace (read) peer=unconfined,
@{exec_path} mr, @{exec_path} mr,
/var/lib/portables/{,**} rw, /var/lib/portables/{,**} rw,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
include if exists <local/systemd-portabled> include if exists <local/systemd-portabled>
} }

1
apparmor.d/groups/systemd/systemd-tty-ask-password-agent
View File

@ -14,6 +14,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
audit capability net_admin, audit capability net_admin,
signal (receive) set=(term cont) peer=default,
signal (receive) set=(term cont) peer=logrotate, signal (receive) set=(term cont) peer=logrotate,
@{exec_path} mr, @{exec_path} mr,

6
apparmor.d/profiles-a-f/blueman-mechanism
View File

@ -1,17 +1,17 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov # Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-20223 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/blueman-mechanism @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism
@{exec_path} += @{lib}/blueman/blueman-mechanism
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python>
capability mknod, capability mknod,
capability net_admin, capability net_admin,

81
apparmor.d/profiles-a-f/borg
View File

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/borg @{exec_path} = @{bin}/borg
profile borg @{exec_path} { profile borg @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
capability dac_read_search, capability dac_read_search,
@ -20,6 +21,11 @@ profile borg @{exec_path} {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
mount fstype=fuse -> @{MOUNTS}/,
mount fstype=fuse -> @{MOUNTS}/*/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{exec_path} r, @{exec_path} r,
@{bin}/ r, @{bin}/ r,
@ -30,42 +36,10 @@ profile borg @{exec_path} {
@{bin}/ldconfig rix, @{bin}/ldconfig rix,
@{bin}/uname rix, @{bin}/uname rix,
@{bin}/pass rPUx,
@{bin}/ssh rPx,
@{bin}/ccache rCx -> ccache, @{bin}/ccache rCx -> ccache,
@{bin}/fusermount{,3} rCx -> fusermount, @{bin}/fusermount{,3} rCx -> fusermount,
@{bin}/pass rPx,
mount fstype=fuse -> @{MOUNTS}/, @{bin}/ssh rPx,
mount fstype=fuse -> @{MOUNTS}/*/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
/dev/fuse rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/random/boot_id r,
@{run}/systemd/userdb/ r,
@{run}/resolvconf/resolv.conf r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/borg/ rw,
owner @{user_cache_dirs}/borg/** rw,
owner @{user_config_dirs}/borg/ rw,
owner @{user_config_dirs}/borg/** rw,
# If /tmp/ isn't accessible, then /var/tmp/ is used.
owner /tmp/* rw,
owner /tmp/tmp*/ rw,
owner /tmp/tmp*/idx rw,
owner /tmp/tmp*/file rw,
owner /tmp/borg-cache-*/ rw,
owner /tmp/borg-cache-*/* rw,
owner /var/tmp/* rw,
owner /var/tmp/tmp*/ rw,
owner /var/tmp/tmp*/idx rw,
owner /var/tmp/tmp*/file rw,
# Dirs that can be backed up # Dirs that can be backed up
/ r, / r,
@ -80,13 +54,28 @@ profile borg @{exec_path} {
owner @{MOUNTS}/ r, owner @{MOUNTS}/ r,
owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**, owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**,
# borg serve on server's side owner @{user_cache_dirs}/ rw,
owner /home/borg/*/ rw, owner @{user_cache_dirs}/borg/ rw,
owner /home/borg/*/{,**} rw, owner @{user_cache_dirs}/borg/** rw,
# For exporting the key owner @{user_config_dirs}/borg/ rw,
owner /**/key w, owner @{user_config_dirs}/borg/** rw,
# If /tmp/ isn't accessible, then /var/tmp/ is used.
owner /tmp/* rw,
owner /tmp/borg-cache-*/ rw,
owner /tmp/borg-cache-*/* rw,
owner /tmp/tmp*/ rw,
owner /tmp/tmp*/file rw,
owner /tmp/tmp*/idx rw,
owner /var/tmp/* rw,
owner /var/tmp/tmp*/ rw,
owner /var/tmp/tmp*/file rw,
owner /var/tmp/tmp*/idx rw,
owner @{PROC}/@{pid}/fd/ r,
/dev/fuse rw,
profile ccache { profile ccache {
include <abstractions/base> include <abstractions/base>
@ -97,29 +86,31 @@ profile borg @{exec_path} {
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}g++-[0-9]* rix, @{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
/etc/debian_version r, /etc/debian_version r,
@{MOUNTS}/** rw,
include if exists <local/borg_ccache>
} }
profile fusermount { profile fusermount {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin, capability sys_admin,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{bin}/fusermount{,3} mr, @{bin}/fusermount{,3} mr,
/etc/fuse.conf r, /etc/fuse.conf r,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
/dev/fuse rw, /dev/fuse rw,
include if exists <local/borg_fusermount>
} }
include if exists <usr/borg.d> include if exists <usr/borg.d>

3
apparmor.d/profiles-a-f/cups-pk-helper-mechanism
View File

@ -16,6 +16,9 @@ profile cups-pk-helper-mechanism @{exec_path} {
capability dac_read_search, capability dac_read_search,
capability sys_nice, capability sys_nice,
network inet stream,
network inet6 stream,
dbus receive bus=system path=/ dbus receive bus=system path=/
interface=org.opensuse.CupsPkHelper.Mechanism, interface=org.opensuse.CupsPkHelper.Mechanism,

2
apparmor.d/profiles-g-l/language-validate
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/language-tools/language-{options,validate} @{exec_path} = /usr/share/language-tools/language-{options,validate}
profile language-validate @{exec_path} { profile language-validate @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
capability setgid, capability setgid,

4
apparmor.d/profiles-m-r/netcap
View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -13,9 +14,6 @@ profile netcap @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability sys_ptrace, capability sys_ptrace,
# To get access to all of the @{PROC}/@{pids}/fd/ dirs, which sometimes can be owned by other
# users than root, for instance systemd-timesync.
capability dac_read_search, capability dac_read_search,
ptrace (read), ptrace (read),

2
apparmor.d/profiles-m-r/pactl
View File

@ -20,7 +20,7 @@ profile pactl @{exec_path} {
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/gdm/.config/pulse/cookie rk, /var/lib/gdm{3,}/.config/pulse/cookie rk,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,

42
apparmor.d/profiles-m-r/redshift
View File

@ -1,42 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com>
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/redshift
profile redshift @{exec_path} {
include <abstractions/base>
include <abstractions/wayland>
include <abstractions/nameservice-strict>
@{exec_path} mr,
dbus send
bus=system
path=/org/freedesktop/GeoClue2/Client/@{int},
dbus receive
bus=system
path=/org/freedesktop/GeoClue2/Manager,
# Allow but log any other dbus activity
audit dbus bus=system,
# Redshift config files
owner @{user_config_dirs}/redshift/{,**} rw,
owner @{user_config_dirs}/redshift.conf rw,
owner @{run}/user/@{uid}/redshift-shared-* rw,
owner @{HOME}/.Xauthority r,
owner /tmp/xauth-[0-9]*-_[0-9] r,
# file_inherit
owner /dev/tty@{int} rw,
include if exists <local/redshift>
}

1
apparmor.d/profiles-s-z/udisksd
View File

@ -20,6 +20,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
capability dac_read_search, capability dac_read_search,
capability fowner, capability fowner,
capability fsetid, capability fsetid,
capability net_admin,
capability setgid, capability setgid,
capability setuid, capability setuid,
capability sys_admin, capability sys_admin,