feat(profiles): general update.

This commit is contained in:
Alexandre Pujol 2023-11-22 21:37:09 +00:00
parent a49d83993a
commit 31bc5a6053
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
16 changed files with 56 additions and 103 deletions

View File

@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
capability sys_tty_config,
signal (receive) set=term peer=gdm,
signal (receive) set=hup peer=@{systemd},
signal (send) set=hup peer=at-spi*,
signal (send) set=hup peer=dbus-daemon,
signal (send) set=hup peer=dbus-run-session,

View File

@ -34,6 +34,7 @@ profile gnome-software @{exec_path} {
@{exec_path} mr,
@{bin}/baobab rPUx,
@{bin}/bwrap rPUx,
@{bin}/fusermount{,3} rCx -> fusermount,
@{bin}/gpg{,2} rCx -> gpg,

View File

@ -27,7 +27,8 @@ profile mutter-x11-frames @{exec_path} {
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
owner @{PROC}/@{pid}/cmdline r,

View File

@ -104,6 +104,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
@{run}/blkid/blkid.tab r,
@{run}/mount/utab r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/sys/fs/fanotify/max_user_marks r,
@{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/mountinfo r,

View File

@ -25,6 +25,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
mount -> /,
ptrace (read),
@{exec_path} mr,
@{lib}/** r,

View File

@ -27,6 +27,8 @@ profile systemd-journald @{exec_path} {
network netlink raw,
ptrace (read),
@{exec_path} mr,
/etc/systemd/journald.conf r,

View File

@ -13,16 +13,9 @@ profile systemd-portabled @{exec_path} {
capability sys_ptrace,
ptrace (read) peer=unconfined,
@{exec_path} mr,
/var/lib/portables/{,**} rw,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
include if exists <local/systemd-portabled>
}

View File

@ -14,6 +14,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
audit capability net_admin,
signal (receive) set=(term cont) peer=default,
signal (receive) set=(term cont) peer=logrotate,
@{exec_path} mr,

View File

@ -1,17 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-20223 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/blueman-mechanism
@{exec_path} += @{lib}/blueman/blueman-mechanism
@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/python>
capability mknod,
capability net_admin,

View File

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/borg
profile borg @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/python>
capability dac_read_search,
@ -20,6 +21,11 @@ profile borg @{exec_path} {
network inet6 dgram,
network netlink raw,
mount fstype=fuse -> @{MOUNTS}/,
mount fstype=fuse -> @{MOUNTS}/*/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{exec_path} r,
@{bin}/ r,
@ -30,42 +36,10 @@ profile borg @{exec_path} {
@{bin}/ldconfig rix,
@{bin}/uname rix,
@{bin}/pass rPUx,
@{bin}/ssh rPx,
@{bin}/ccache rCx -> ccache,
@{bin}/fusermount{,3} rCx -> fusermount,
mount fstype=fuse -> @{MOUNTS}/,
mount fstype=fuse -> @{MOUNTS}/*/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
/dev/fuse rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/random/boot_id r,
@{run}/systemd/userdb/ r,
@{run}/resolvconf/resolv.conf r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/borg/ rw,
owner @{user_cache_dirs}/borg/** rw,
owner @{user_config_dirs}/borg/ rw,
owner @{user_config_dirs}/borg/** rw,
# If /tmp/ isn't accessible, then /var/tmp/ is used.
owner /tmp/* rw,
owner /tmp/tmp*/ rw,
owner /tmp/tmp*/idx rw,
owner /tmp/tmp*/file rw,
owner /tmp/borg-cache-*/ rw,
owner /tmp/borg-cache-*/* rw,
owner /var/tmp/* rw,
owner /var/tmp/tmp*/ rw,
owner /var/tmp/tmp*/idx rw,
owner /var/tmp/tmp*/file rw,
@{bin}/pass rPx,
@{bin}/ssh rPx,
# Dirs that can be backed up
/ r,
@ -80,13 +54,28 @@ profile borg @{exec_path} {
owner @{MOUNTS}/ r,
owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**,
# borg serve on server's side
owner /home/borg/*/ rw,
owner /home/borg/*/{,**} rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/borg/ rw,
owner @{user_cache_dirs}/borg/** rw,
# For exporting the key
owner /**/key w,
owner @{user_config_dirs}/borg/ rw,
owner @{user_config_dirs}/borg/** rw,
# If /tmp/ isn't accessible, then /var/tmp/ is used.
owner /tmp/* rw,
owner /tmp/borg-cache-*/ rw,
owner /tmp/borg-cache-*/* rw,
owner /tmp/tmp*/ rw,
owner /tmp/tmp*/file rw,
owner /tmp/tmp*/idx rw,
owner /var/tmp/* rw,
owner /var/tmp/tmp*/ rw,
owner /var/tmp/tmp*/file rw,
owner /var/tmp/tmp*/idx rw,
owner @{PROC}/@{pid}/fd/ r,
/dev/fuse rw,
profile ccache {
include <abstractions/base>
@ -97,29 +86,31 @@ profile borg @{exec_path} {
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
/etc/debian_version r,
@{MOUNTS}/** rw,
include if exists <local/borg_ccache>
}
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{bin}/fusermount{,3} mr,
/etc/fuse.conf r,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{PROC}/@{pids}/mounts r,
/dev/fuse rw,
include if exists <local/borg_fusermount>
}
include if exists <usr/borg.d>

View File

@ -16,6 +16,9 @@ profile cups-pk-helper-mechanism @{exec_path} {
capability dac_read_search,
capability sys_nice,
network inet stream,
network inet6 stream,
dbus receive bus=system path=/
interface=org.opensuse.CupsPkHelper.Mechanism,

View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/language-tools/language-{options,validate}
profile language-validate @{exec_path} {
profile language-validate @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
capability setgid,

View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -13,9 +14,6 @@ profile netcap @{exec_path} {
include <abstractions/nameservice-strict>
capability sys_ptrace,
# To get access to all of the @{PROC}/@{pids}/fd/ dirs, which sometimes can be owned by other
# users than root, for instance systemd-timesync.
capability dac_read_search,
ptrace (read),

View File

@ -20,7 +20,7 @@ profile pactl @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/lib/gdm/.config/pulse/cookie rk,
/var/lib/gdm{3,}/.config/pulse/cookie rk,
owner @{HOME}/.Xauthority r,

View File

@ -1,42 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com>
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/redshift
profile redshift @{exec_path} {
include <abstractions/base>
include <abstractions/wayland>
include <abstractions/nameservice-strict>
@{exec_path} mr,
dbus send
bus=system
path=/org/freedesktop/GeoClue2/Client/@{int},
dbus receive
bus=system
path=/org/freedesktop/GeoClue2/Manager,
# Allow but log any other dbus activity
audit dbus bus=system,
# Redshift config files
owner @{user_config_dirs}/redshift/{,**} rw,
owner @{user_config_dirs}/redshift.conf rw,
owner @{run}/user/@{uid}/redshift-shared-* rw,
owner @{HOME}/.Xauthority r,
owner /tmp/xauth-[0-9]*-_[0-9] r,
# file_inherit
owner /dev/tty@{int} rw,
include if exists <local/redshift>
}

View File

@ -20,6 +20,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
capability fowner,
capability fsetid,
capability net_admin,
capability setgid,
capability setuid,
capability sys_admin,