From 3430e3df90fb5db1ce184443d1c097699fa93962 Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Wed, 8 Dec 2021 12:59:46 +0100 Subject: [PATCH] update apparmor profiles Signed-off-by: Alexandre Pujol --- apparmor.d/abstractions/libvirt-qemu | 2 +- apparmor.d/groups/apps/okular | 1 + apparmor.d/groups/apps/vlc | 1 + apparmor.d/groups/apt/apt-show-versions | 7 ++++++- apparmor.d/groups/apt/cron-popularity-contest | 4 ++++ apparmor.d/groups/apt/dpkg | 9 +++++++++ apparmor.d/groups/apt/dpkg-deb | 3 +++ apparmor.d/groups/apt/dpkg-genbuildinfo | 3 +++ apparmor.d/groups/apt/dpkg-trigger | 2 +- apparmor.d/groups/desktop/obex-folder-listing | 2 ++ apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 2 ++ apparmor.d/groups/gvfs/gvfsd-mtp | 4 +++- apparmor.d/groups/ssh/ssh | 4 ++-- apparmor.d/groups/systemd/systemd-hostnamed | 2 ++ apparmor.d/profiles-a-f/adduser | 9 ++------- apparmor.d/profiles-a-f/amixer | 7 ++++++- apparmor.d/profiles-a-f/badblocks | 2 +- apparmor.d/profiles-a-f/blkid | 8 +++++--- apparmor.d/profiles-a-f/conky | 4 ++++ apparmor.d/profiles-a-f/df | 1 + apparmor.d/profiles-a-f/dfc | 1 + apparmor.d/profiles-a-f/dumpe2fs | 6 ++++-- apparmor.d/profiles-a-f/ffmpeg | 1 + apparmor.d/profiles-a-f/ffplay | 2 ++ apparmor.d/profiles-a-f/ffprobe | 2 ++ apparmor.d/profiles-g-l/hdparm | 8 ++++++-- apparmor.d/profiles-g-l/hypnotix | 3 ++- apparmor.d/profiles-g-l/jmtpfs | 10 ++++++++++ apparmor.d/profiles-g-l/kmod | 5 +++-- apparmor.d/profiles-m-r/mediainfo | 2 ++ apparmor.d/profiles-m-r/mediainfo-gui | 1 + apparmor.d/profiles-m-r/mkvmerge | 1 + apparmor.d/profiles-m-r/mkvtoolnix-gui | 1 + apparmor.d/profiles-m-r/mpv | 4 +++- apparmor.d/profiles-m-r/ntfsclone | 4 +++- apparmor.d/profiles-m-r/openbox | 3 ++- apparmor.d/profiles-m-r/popularity-contest | 1 + apparmor.d/profiles-m-r/qbittorrent | 1 + apparmor.d/profiles-m-r/qnapi | 1 + apparmor.d/profiles-m-r/qpdfview | 1 + apparmor.d/profiles-m-r/redshift | 3 +++ apparmor.d/profiles-m-r/reprepro | 2 ++ apparmor.d/profiles-s-z/smplayer | 1 + apparmor.d/profiles-s-z/tune2fs | 8 ++++++-- apparmor.d/profiles-s-z/ucf | 3 +-- apparmor.d/profiles-s-z/umount | 1 + apparmor.d/profiles-s-z/uscan | 4 +++- apparmor.d/profiles-s-z/useradd | 5 ++--- apparmor.d/profiles-s-z/userdel | 9 ++++----- apparmor.d/profiles-s-z/usermod | 6 ++++-- apparmor.d/profiles-s-z/vidcutter | 6 +++++- apparmor.d/profiles-s-z/vnstat | 2 ++ apparmor.d/profiles-s-z/wireshark | 2 +- apparmor.d/profiles-s-z/xrandr | 2 ++ apparmor.d/profiles-s-z/youtube-dl | 1 + apparmor.d/profiles-s-z/ytdl | 1 + 56 files changed, 146 insertions(+), 45 deletions(-) diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index f473a1ca..104bc073 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -198,7 +198,7 @@ /sys/class/ r, # for rbd - /etc/ceph/ceph.conf r, + /etc/ceph/*.conf r, # Various functions will need to enumerate /tmp (e.g. ceph), allow the base # dir and a few known functions like samba support. diff --git a/apparmor.d/groups/apps/okular b/apparmor.d/groups/apps/okular index d550ed07..a37242f1 100644 --- a/apparmor.d/groups/apps/okular +++ b/apparmor.d/groups/apps/okular @@ -19,6 +19,7 @@ profile okular @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index d9259acf..a3b39cba 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -67,6 +67,7 @@ profile vlc @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 03cea021..43ba3f3e 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -15,8 +15,13 @@ profile apt-show-versions @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, + /{usr/,}bin/{,ba,da}sh rix, - /usr/bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/apt-get rPx, + + # apt-helper gets "no new privs" so "rix" it + /{usr/,}lib/apt/apt-helper rix, owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw, owner /var/cache/apt-show-versions/files rw, diff --git a/apparmor.d/groups/apt/cron-popularity-contest b/apparmor.d/groups/apt/cron-popularity-contest index df30a29a..0fb5fe75 100644 --- a/apparmor.d/groups/apt/cron-popularity-contest +++ b/apparmor.d/groups/apt/cron-popularity-contest @@ -46,6 +46,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/ r, /var/log/popularity-contest{,.new} rw, /var/log/popularity-contest{,.new}.gpg rw, + /var/log/popularity-contest.[0-9]* rw, # Store last successful http submission timestamp /var/lib/popularity-contest/ rw, @@ -118,6 +119,8 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.new r, /var/log/popularity-contest.new.gpg rw, + /var/log/popularity-contest.[0-9]* r, + /var/log/popularity-contest.[0-9]*.gpg rw, owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**, @@ -144,6 +147,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/ r, /var/log/popularity-contest.new.gpg r, + /var/log/popularity-contest.[0-9]*.gpg r, # file_inherit owner /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 5a2fe9df..c2c0ac72 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -71,11 +71,14 @@ profile dpkg @{exec_path} { /etc/dpkg/dpkg.cfg r, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/random/boot_id r, owner /tmp/apt-dpkg-install-*/ r, /var/log/dpkg.log w, + @{run}/systemd/userdb/ r, + # For shell pwd /root/ r, @@ -103,9 +106,15 @@ profile dpkg @{exec_path} { /var/local/** rwl -> /var/local/**, /var/spool/ r, /var/spool/** rwl -> /var/spool/**, + # Fixme when more transitions will be available (#FIXME#) + /var/www/ r, + /var/www/** rwl, # To create log and cache dirs /var/log/**/ rw, /var/cache/**/ rw, + # To create dirs under var + /var/*.dpkg-new/ rw, + /var/*/ rw, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index a7259fe0..27704dc9 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -14,6 +14,9 @@ profile dpkg-deb @{exec_path} { #capability sys_tty_config, + # For "mk-build-deps -i" + capability dac_override, + @{exec_path} mr, /{usr/,}bin/tar rix, diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index 52750d75..b0f4c86d 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -11,6 +11,9 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) { include include + # For "mk-build-deps -i" + capability dac_override, + @{exec_path} r, /{usr/,}bin/perl r, diff --git a/apparmor.d/groups/apt/dpkg-trigger b/apparmor.d/groups/apt/dpkg-trigger index c8e569c6..da636f74 100644 --- a/apparmor.d/groups/apt/dpkg-trigger +++ b/apparmor.d/groups/apt/dpkg-trigger @@ -16,7 +16,7 @@ profile dpkg-trigger @{exec_path} { /var/lib/dpkg/triggers/Lock rwk, /var/lib/dpkg/triggers/ r, - /var/lib/dpkg/triggers/Unincorp{,.new} rw, + /var/lib/dpkg/triggers/* rw, include if exists } diff --git a/apparmor.d/groups/desktop/obex-folder-listing b/apparmor.d/groups/desktop/obex-folder-listing index 2b3f0761..3bc0b3ac 100644 --- a/apparmor.d/groups/desktop/obex-folder-listing +++ b/apparmor.d/groups/desktop/obex-folder-listing @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}bin/obex-folder-listing profile obex-folder-listing @{exec_path} { include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index bde2960b..455aad95 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -32,6 +32,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { owner @{run}/user/@{uid}/dconf/ w, owner @{run}/user/@{uid}/dconf/user rw, + @{run}/systemd/sessions/[0-9]* r, + /etc/fstab r, # Mount points diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 5cf49397..11896952 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -11,8 +11,10 @@ include @{exec_path} += @{libexec}/gvfsd-mtp profile gvfsd-mtp @{exec_path} { include - include include + include + include + include network netlink raw, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index c0bf3dfe..83f4385d 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -28,7 +28,7 @@ profile ssh @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts rw, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 2340a1c9..5f850bb7 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -30,4 +30,6 @@ profile systemd-hostnamed @{exec_path} { /etc/hostname rw, /etc/.#hostname* rw, + @{run}/udev/data/+dmi:id r, + } diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 5c1add32..ef8b465a 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -49,16 +49,11 @@ profile adduser @{exec_path} { /etc/adduser.conf r, - # To create user dirs + # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - - # To copy files from /etc/skel/ to user dirs @{HOME}/.* w, + /var/lib/*/{,*} rw, /etc/skel/{,.*} r, - # What's this for? (#FIXME#) - /var/lib/lightdm/{,*} w, - /var/lib/sddm/{,*} w, - include if exists } diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index 2880e46d..a8e37584 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -10,15 +10,20 @@ include profile amixer @{exec_path} { include include + include @{exec_path} mr, + /usr/share/pipewire/client.conf r, + /var/lib/dbus/machine-id r, /etc/machine-id r, owner @{HOME}/.Xauthority r, - owner @{user_config_dirs}/pulse/ r, + owner @{HOME}/.config/pulse/ r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index 9257f82e..f1c2ddce 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -18,7 +18,7 @@ profile badblocks @{exec_path} { @{PROC}/swaps r, # A place for a list of already existing known bad blocks - @{HOME}/** rwk, + @{HOME}/* rwk, @{MOUNTS}/*/** rwk, include if exists diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 3558237f..3d834202 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -30,8 +30,10 @@ profile blkid @{exec_path} { @{PROC}/partitions r, # Image files - @{HOME}/** r, - @{MOUNTS}/*/** r, + @{HOME}/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 660a1fdf..3a08586c 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -18,8 +18,12 @@ profile conky @{exec_path} { include include + # To get the external IP address + # For samba share mounts network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, # For dig #network inet stream, diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/profiles-a-f/df index da56f90f..acbf0866 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/profiles-a-f/df @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/df profile df @{exec_path} { include + include capability dac_read_search, diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc index ca7e2477..d8a54689 100644 --- a/apparmor.d/profiles-a-f/dfc +++ b/apparmor.d/profiles-a-f/dfc @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/dfc profile dfc @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 88ca8c48..35f922c7 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -18,8 +18,10 @@ profile dumpe2fs @{exec_path} { owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # Image files - @{HOME}/** r, - @{MOUNTS}/** r, + @{HOME}/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index ebe49ed2..0f56dd2a 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -50,6 +50,7 @@ profile ffmpeg @{exec_path} { include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 51b581dd..83aa889c 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -43,6 +43,8 @@ profile ffplay @{exec_path} { include include include + include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe index fe4fd655..1391d5b2 100644 --- a/apparmor.d/profiles-a-f/ffprobe +++ b/apparmor.d/profiles-a-f/ffprobe @@ -41,6 +41,8 @@ include profile ffprobe @{exec_path} { include include + include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 9ba97bbc..b3ba2f2a 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}{s,}bin/hdparm profile hdparm @{exec_path} flags=(complain) { include + include + include include # To remove the following errors: @@ -27,8 +29,10 @@ profile hdparm @{exec_path} flags=(complain) { @{PROC}/devices r, # Image files - @{HOME}/** r, - @{MOUNTS}/*/** r, + @{HOME}/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index ca7cb824..4ebb16de 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -25,6 +25,7 @@ profile hypnotix @{exec_path} { include include include + include include include include @@ -85,7 +86,7 @@ profile hypnotix @{exec_path} { /etc/machine-id r, # Silencer - /{usr/,}lib/hypnotix/** w, + deny /{usr/,}lib/hypnotix/** w, profile xdg-screensaver { diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index e7a17e88..e16b29c6 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -17,12 +17,18 @@ profile jmtpfs @{exec_path} { /{usr/,}bin/fusermount{,3} rCx -> fusermount, + owner /tmp/tmp* rw, + owner /tmp/#[0-9]* rw, + # Mount points owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, + owner @{HOME}/.cache/*/mtp{,-[0-9]*}/ rw, + mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/.cache/*/*/, /etc/magic r, @@ -36,10 +42,14 @@ profile jmtpfs @{exec_path} { # To mount anything: capability sys_admin, + # + capability dac_read_search, + /{usr/,}bin/fusermount{,3} mr, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/.cache/*/*/, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 942deffd..214f5e9f 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -48,7 +48,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) { # Initframs owner /tmp/mkinitcpio.*/{,**} rw, - #owner @{PROC}/@{pid}/fd/1 w, + owner @{run}/tmpfiles.d/ w, + owner @{run}/tmpfiles.d/static-nodes.conf w, # For local kernel build owner /tmp/depmod.*/lib/modules/*/ r, diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo index 4a5d637e..99ab4053 100644 --- a/apparmor.d/profiles-m-r/mediainfo +++ b/apparmor.d/profiles-m-r/mediainfo @@ -34,6 +34,8 @@ include @{exec_path} = /{usr/,}bin/mediainfo profile mediainfo @{exec_path} { include + include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 8a557ec9..7f3c11d3 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -39,6 +39,7 @@ profile mediainfo-gui @{exec_path} { include include include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index a45c658b..49bd5b84 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -41,6 +41,7 @@ include profile mkvmerge @{exec_path} { include include + include include signal (receive) set=(term, kill) peer=mkvtoolnix-gui, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 0cfd3ca8..3528448e 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -53,6 +53,7 @@ profile mkvtoolnix-gui @{exec_path} { include include include + include include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 719ca9f4..2fccf2f1 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -9,7 +9,7 @@ include # Video/audio extensions: # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, # asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t +# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, flv @{mpv_ext} = [aA]{52,[aA][cC],[cC]3} @{mpv_ext} += [mM][kK][aA] @{mpv_ext} += [fF][lL][aA][cC] @@ -30,6 +30,7 @@ include @{mpv_ext} += [wW][eE][bB][mM] @{mpv_ext} += [wW][mMtT][vV] @{mpv_ext} += [mM][pP]2[tT] +@{mpv_ext} += [fF][lL][vV] # Image extensions # bmp, jpg, jpeg, png, gif @@ -66,6 +67,7 @@ profile mpv @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone index 29c1e070..cf4c5edd 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -10,6 +10,8 @@ include profile ntfsclone @{exec_path} { include include + include + include capability sys_admin, @@ -18,7 +20,7 @@ profile ntfsclone @{exec_path} { owner @{PROC}/@{pid}/mounts r, # A place for backups - @{HOME}/** rwk, + @{HOME}/* rwk, @{MOUNTS}/*/** rwk, include if exists diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index df7150f3..18abf6b7 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -77,7 +77,8 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - /{usr/,}lib/python3/** w, + deny /{usr/,}lib/python3/** w, + deny owner @{HOME}/.local/lib/python*/site-packages/ r, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 73f758c0..8a690ef8 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -55,6 +55,7 @@ profile popularity-contest @{exec_path} { # file_inherit /tmp/#[0-9]*[0-9] rw, + /var/log/popularity-contest.[0-9]* w, include if exists } diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 82e97bf6..30cea3d5 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -18,6 +18,7 @@ profile qbittorrent @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index ae33d67d..64f56c00 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -51,6 +51,7 @@ profile qnapi @{exec_path} { include include include + include include # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 14c4d1c8..17a5eb58 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -22,6 +22,7 @@ profile qpdfview @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-m-r/redshift b/apparmor.d/profiles-m-r/redshift index ff46bfe6..8c6ef806 100644 --- a/apparmor.d/profiles-m-r/redshift +++ b/apparmor.d/profiles-m-r/redshift @@ -36,5 +36,8 @@ profile redshift @{exec_path} { owner @{HOME}/.Xauthority r, owner /tmp/xauth-[0-9]*-_[0-9] r, + # file_inherit + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index 7ae7b7a1..8150e83f 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -48,12 +48,14 @@ profile reprepro @{exec_path} { # Dirs containing .deb files owner @{REPO_DIR}/*.deb r, + /var/cache/apt/archives/*.deb r, # For package building owner @{user_build_dirs}/pbuilder/result/*.{dsc,changes} r, owner @{user_build_dirs}/pbuilder/result/*.deb r, owner @{user_build_dirs}/pbuilder/result/*.tar.* r, + profile gpg { include diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 94d968f4..fd4cc054 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -69,6 +69,7 @@ profile smplayer @{exec_path} { include include include + include include include diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 7f189cb0..50f7f5de 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -11,6 +11,8 @@ profile tune2fs @{exec_path} { include include include + include + include network inet stream, network inet6 stream, @@ -26,8 +28,10 @@ profile tune2fs @{exec_path} { owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # Image files - @{HOME}/** rw, - @{MOUNTS}/*/** rw, + @{HOME}/**.{iso,img,bin,mdf,nrg} rw, + @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rw, + @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw, + @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 95319d5b..5a557c78 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -55,10 +55,9 @@ profile ucf @{exec_path} flags=(complain) { # For md5sum /etc/** r, - /usr/share/*/conffiles/* r, + /usr/share/** r, @{run}/** r, - # For writing new config files /etc/** rw, diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 592bb374..109a4eb4 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -33,6 +33,7 @@ profile umount @{exec_path} flags=(complain) { @{HOME}/ r, @{HOME}/*/ r, @{HOME}/*/*/ r, + @{HOME}/.cache/*/*/ r, @{MOUNTS}/*/ r, @{MOUNTS}/*/*/ r, diff --git a/apparmor.d/profiles-s-z/uscan b/apparmor.d/profiles-s-z/uscan index 260a01d2..6d5e26f5 100644 --- a/apparmor.d/profiles-s-z/uscan +++ b/apparmor.d/profiles-s-z/uscan @@ -38,6 +38,9 @@ profile uscan @{exec_path} { # To run custom maintainer scripts owner @{user_build_dirs}/**/debian/* rPUx, + /usr/share/*/debian/ r, + /usr/share/*/debian/changelog r, + /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpgv rCx -> gpg, @@ -49,7 +52,6 @@ profile uscan @{exec_path} { # For package building owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - # For GPG keys owner /tmp/*/ rw, owner /tmp/*/trustedkeys.gpg w, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 261775af..38db74ad 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -63,11 +63,10 @@ profile useradd @{exec_path} { /var/log/faillog rw, /var/log/lastlog rw, - # To create user dirs + # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - - # To copy files from /etc/skel/ to user dirs @{HOME}/.* w, + /var/lib/*/{,*} rw, /etc/skel/{,.*} r, diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 52b3eaad..751497b1 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -55,11 +55,10 @@ profile userdel @{exec_path} flags=(attach_disconnected) { /etc/.pwd.lock rwk, # To remove user home files - @{HOME}/ rw, - @{HOME}/** w, - - # To remove user mail - /var/mail/* w, + @{HOME}/{,**} rw, + /var/ r, + /var/lib/ r, + /var/lib/*/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index d51fdd09..98a3d513 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -58,8 +58,10 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/task/ r, # To create and move user dirs - @{HOME}/{,**} rw, - /var/{,**} rw, + @{HOME}/{,**} rw, + /var/ r, + /var/lib/ r, + /var/lib/*/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 4c6a80cc..c835490d 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -45,12 +45,12 @@ profile vidcutter @{exec_path} { include include include + include include include include include include - include include @{exec_path} r, @@ -92,6 +92,10 @@ profile vidcutter @{exec_path} { owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index c2985a87..4cb815de 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -63,6 +63,8 @@ profile vnstat @{exec_path} { deny @{PROC}/loadavg r, deny @{sys}/devices/**/hwmon/**/temp*_input r, owner /dev/tty[0-9]* rw, + deny network inet dgram, + deny network inet6 dgram, include if exists } diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 814cde3d..e1508563 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -21,6 +21,7 @@ profile wireshark @{exec_path} { include include include + include include include include @@ -84,7 +85,6 @@ profile wireshark @{exec_path} { # file_inherit owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, profile open { diff --git a/apparmor.d/profiles-s-z/xrandr b/apparmor.d/profiles-s-z/xrandr index c965fa64..da8e9afe 100644 --- a/apparmor.d/profiles-s-z/xrandr +++ b/apparmor.d/profiles-s-z/xrandr @@ -14,6 +14,8 @@ profile xrandr @{exec_path} { owner @{HOME}/.Xauthority r, + /usr/share/X11/XErrorDB r, + # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 9f0ff95e..07c72c61 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -51,6 +51,7 @@ profile youtube-dl @{exec_path} { include include include + include include signal (receive) set=(term, kill), diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 886b67b3..4943c19f 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -45,6 +45,7 @@ profile ytdl @{exec_path} { include include include + include include signal (receive) set=(term, kill),