From 33296ae19ea1c350973dd2b49682349ceb74575f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 8 Apr 2021 22:47:42 +0100 Subject: [PATCH] Add full gnome shell confinement. --- apparmor.d/groups/desktop/dbus-run-session | 30 +++++ apparmor.d/groups/gnome/gdm-wayland-session | 46 +++++++ apparmor.d/groups/gnome/gdm-x-session | 28 ++++ apparmor.d/groups/gnome/gdm-xsession | 43 ++++++ apparmor.d/groups/gnome/gnome-session-binary | 85 ++++++++++++ apparmor.d/groups/gnome/gnome-session-ctl | 18 +++ apparmor.d/groups/gnome/gnome-shell | 130 +++++++++++++++++++ 7 files changed, 380 insertions(+) create mode 100644 apparmor.d/groups/desktop/dbus-run-session create mode 100644 apparmor.d/groups/gnome/gdm-wayland-session create mode 100644 apparmor.d/groups/gnome/gdm-x-session create mode 100644 apparmor.d/groups/gnome/gdm-xsession create mode 100644 apparmor.d/groups/gnome/gnome-session-binary create mode 100644 apparmor.d/groups/gnome/gnome-session-ctl create mode 100644 apparmor.d/groups/gnome/gnome-shell diff --git a/apparmor.d/groups/desktop/dbus-run-session b/apparmor.d/groups/desktop/dbus-run-session new file mode 100644 index 00000000..8771b9f6 --- /dev/null +++ b/apparmor.d/groups/desktop/dbus-run-session @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/dbus-run-session +profile dbus-run-session @{exec_path} { + include + + signal (receive) set=(term, kill) peer=gdm-wayland-session, + + @{exec_path} mr, + + /{usr/,}bin/dbus-daemon rPx, + /{usr/,}bin/gnome-session rix, + /{usr/,}bin/gsettings rix, + /{usr/,}lib/gnome-session-binary rPx, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gdm/greeter-dconf-defaults r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session new file mode 100644 index 00000000..606f5189 --- /dev/null +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gdm-wayland-session +profile gdm-wayland-session @{exec_path} { + include + include + include + include + include + + signal (send) set=(term) peer=dbus-run-session, + signal (send) set=(term) peer=gnome-session-binary, + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/tty rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/gnome-session rix, + /{usr/,}bin/gsettings rix, + + /{usr/,}bin/dbus-run-session rPx, + /{usr/,}bin/dbus-daemon rPx, + /{usr/,}lib/gnome-session-binary rPx, + + /etc/gdm/custom.conf r, + + /usr/share/gdm/gdm.schemas r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session new file mode 100644 index 00000000..8a8f7f2e --- /dev/null +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gdm-x-session +profile gdm-x-session @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + /{usr/,}bin/Xorg rUx, + /{usr/,}bin/dbus-run-session rPx, + /etc/gdm/Xsession rPx, + + /etc/gdm/custom.conf r, + /usr/share/gdm/gdm.schemas r, + /var/lib/gdm/.cache/gdm/Xauthority rw, + + owner /proc/9503/fd/ r, + + /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession new file mode 100644 index 00000000..02b3379a --- /dev/null +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/gdm/Xsession +profile sddm-xsession @{exec_path} { + include + include + include + include + + @{exec_path} r, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gnome-session rix, + /{usr/,}bin/gsettings rix, + /{usr/,}bin/id rix, + + /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/xhost rPx, + /{usr/,}lib/gnome-session-binary rPx, + + /etc/X11/{,**} r, + + profile dbus { + include + + /{usr/,}bin/dbus-update-activation-environment mr, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + include if exists +} diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary new file mode 100644 index 00000000..5cf1ed07 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gnome-session-binary +profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal (send) set=(term) peer=gsd-*, + signal (receive) set=(term) peer=gdm-wayland-session, + + @{exec_path} mr, + + /{usr/,}bin/{,z,ba,da}sh rix, + /{usr/,}bin/xdg-user-dirs-gtk-update rix, + /{usr/,}lib/gnome-session-check-accelerated rix, + /{usr/,}lib/gnome-session-check-accelerated-gl-helper rix, + /{usr/,}lib/gnome-session-check-accelerated-gles-helper rix, + /{usr/,}lib/gnome-session-failed rix, + /{usr/,}lib/gnome-shell-overrides-migration.sh rix, + + /{usr/,}bin/aa-notify rPx, + /{usr/,}bin/blueman-applet rPx, + /{usr/,}bin/gnome-keyring-daemon rPx, + /{usr/,}bin/gnome-shell rPx, + /{usr/,}bin/xbrlapi rPx, + /{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx, + /{usr/,}lib/gsd-* rPx, + + /{usr/,}bin/pkcs11-register rUx, + /{usr/,}bin/start-pulseaudio-x11 rUx, + + /usr/share/applications/org.gnome.Shell.desktop r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gnome-session/sessions/*.session r, + + owner @{user_config_dirs}/gnome-session/saved-session/ r, + owner @{user_config_dirs}/gtk-3.0/bookmarks rw, + owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw, + + # Users xdg + owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.locale r, + + # Autostart + /etc/xdg/autostart/{,*.desktop} r, + /usr/share/gdm/greeter/autostart/{,*.desktop} r, + owner @{user_config_dirs}/autostart/{,*.desktop} r, + + # Dconf + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + # Temp files + /tmp/.ICE-unix/[0-9]* rw, + + owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/[0-9]*/gnome-session-leader-fifo rw, + owner @{run}/user/[0-9]*/ICEauthority{,-[a-z]} rwl, + @{run}/systemd/users/[0-9]* r, + @{run}/systemd/sessions/[0-9].ref rw, + @{run}/systemd/sessions/[0-9] r, + @{run}/systemd/inhibit/[0-9]*.ref rw, + + @{sys}/devices/**/{vendor,device} r, + + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/cgroup r, + + /dev/null r, + /dev/tty rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl new file mode 100644 index 00000000..db5aa68b --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gnome-session-ctl +profile gnome-session-ctl @{exec_path} { + include + + @{exec_path} mr, + + owner @{run}/user/[0-9]*/gnome-session-leader-fifo r, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell new file mode 100644 index 00000000..5cd29603 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-shell @@ -0,0 +1,130 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/gnome-shell +profile gnome-shell @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + + capability sys_nice, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + ptrace (read), + + signal (send) set=(term) peer=polkit*, + + @{exec_path} mr, + + /{usr/,}bin/Xwayland rPx, + /{usr/,}{lib,libexec}/polkit-1/polkit* rPx, + /{usr/,}{lib,libexec}/* rPUx, + + /usr/share/desktop-directories/{,*.directory} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gnome-shell/{,**} r, + /usr/share/libgweather/Locations.xml r, + /usr/share/libinput/ r, + /usr/share/libinput/[0-9][0-9]-*.quirks r, + /usr/share/libwacom/{,*.stylus,*.tablet} r, + /usr/share/wayland-sessions/{,*.desktop} r, + /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, + /usr/share/xsessions/{,*.desktop} r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + + owner @{user_config_dirs}/monitors.xml r, + owner @{user_config_dirs}/ibus/* r, + + owner @{user_share_dirs}/gnome-shell/{,**} rw, + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + + owner @{user_cache_dirs}/libgweather/{,**} r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + owner @{run}/user/[0-9]*/gnome-shell/{,**} rw, + owner @{run}/user/[0-9]*/gnome-shell-disable-extensions rw, + owner @{run}/user/[0-9]*/wayland-[0-9].lock rwk, + owner @{run}/user/[0-9]*/gdm/Xauthority r, + + @{run}/systemd/users/[0-9]* r, + @{run}/systemd/sessions/[0-9] r, + @{run}/systemd/inhibit/[0-9]*.ref rw, + + @{run}/udev/tags/seat/ r, + + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+platform* r, + @{run}/udev/data/+dmi:id r, + @{run}/udev/data/+acpi* r, + @{run}/udev/data/+pci* r, # for VGA compatible controller + @{run}/udev/data/+sound:card* r, # for sound + @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/c10:[0-9]* r, + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/net/ r, + @{sys}/class/input/ r, + @{sys}/class/hwmon/ r, + @{sys}/class/power_supply/ r, + @{sys}/**/uevent r, + @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, + @{sys}/devices/**/power_supply/**/{type,online} r, + @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, + @{sys}/devices/pci[0-9]*/**/boot_vga r, + @{sys}/devices/pci[0-9]*/**/{device,vendor} r, + @{sys}/devices/pci[0-9]*/**/{subsystem_device,subsystem_vendor} r, + @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, + @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, + + owner @{PROC}/[0-9]*/fd/ r, + owner @{PROC}/[0-9]*/cgroup r, + owner @{PROC}/[0-9]*/mounts r, + owner @{PROC}/[0-9]*/attr/current r, + @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + @{PROC}/[0-9]*/net/* r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/cgroup r, + @{PROC}/cmdline r, + + /dev/input/event[0-9]* rw, + + owner /tmp/.X[0-9]-lock rw, + owner /tmp/[0-9A-Z]*.shell-extension.zip rw, + owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, + /tmp/.X11-unix/X[0-9] rw, + + include if exists +}