diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index dd843800..9ebee31d 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -71,9 +71,9 @@ profile vlc @{exec_path} { include include include - include + include + include include - include if exists # capability sys_ptrace, # ptrace (read), @@ -86,6 +86,120 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, + dbus (send) bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus), + + dbus (receive) bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member=NotificationClosed + peer=(name=:*), + + dbus (send) bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus), + + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member={Get,RegisterStatusNotifierItem} + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon} + peer=(name=org.freedesktop.DBus), + + dbus (receive) bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member=Activate + peer=(name=:*), + + dbus (receive) bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*), + + dbus (send) bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus (receive) bus=session path=/MenuBar + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus), + + dbus (receive) bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} + peer=(name=:*), + + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + peer=(name="{org.freedesktop.DBus,:*}"), # all members + + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.* + peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), # all members + +# dbus (send) bus=system path=/ +# interface=org.freedesktop.DBus.Peer +# member=Ping, +# peer=(name="org.freedesktop.Avahi"), + + dbus (send) bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus), + + dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), + + dbus (send) bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), + + dbus (receive) bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*), + + dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), + + dbus (bind) bus=session + name=org.kde.StatusNotifierItem-*, + + dbus (bind) bus=session + name=org.mpris.MediaPlayer2.vlc{,.instance*}, + @{exec_path} mrix, # Which media files VLC should be able to open @@ -154,82 +268,6 @@ profile vlc @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.anyRemote/anyremote.stdout w, - # DBus - dbus send - bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{RequestName,ReleaseName,GetConnectionUnixProcessID}" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="NotificationClosed" peer=(name=":*"), - - dbus send - bus="session" path="/org/a11y/bus" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.a11y.Bus"), - - dbus send - bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name="org.kde.StatusNotifierWatcher"), - - dbus send - bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Properties" member="{Get,RegisterStatusNotifierItem}" peer=(name="org.kde.StatusNotifierWatcher"), - - dbus send - bus="session" path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member="RegisterStatusNotifierItem" peer=(name="org.kde.StatusNotifierWatcher"), - - dbus send - bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="{NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="Activate" peer=(name=":*"), - - dbus receive - bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="{Get,GetAll}" peer=(name=":*"), - - dbus send - bus="session" path="/ScreenSaver" interface="org.freedesktop.ScreenSaver" member="{Inhibit,UnInhibit}" peer=(name="org.freedesktop.ScreenSaver"), - - dbus receive - bus="session" path="/MenuBar" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), - - dbus send - bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{LayoutUpdated,ItemsPropertiesUpdated}" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}" peer=(name=":*"), - - dbus (send receive) - bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), - - dbus (send receive) - bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.*" peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), - -# dbus send -# bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" peer=(name="org.freedesktop.Avahi"), - - dbus send - bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,RemoveMatch}" peer=(name="org.freedesktop.DBus"), - - dbus send - bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.a11y.atspi.Socket" member="Embed" peer=(name="org.a11y.atspi.Registry"), - - dbus receive - bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.freedesktop.DBus.Properties" member="Set" peer=(name=":*"), - - dbus send - bus="accessibility" path="/org/a11y/atspi/registry" interface="org.a11y.atspi.Registry" member="GetRegisteredEvents" peer=(name="org.a11y.atspi.Registry"), - - dbus receive - bus="accessibility" path="/org/a11y/atspi/registry" interface="org.a11y.atspi.Registry" member="EventListenerDeregistered" peer=(name=":*"), - - dbus send - bus="accessibility" path="/org/a11y/atspi/registry/deviceeventcontroller" interface="org.a11y.atspi.DeviceEventController" member="{GetKeystrokeListeners,GetDeviceEventListeners}" peer=(name="org.a11y.atspi.Registry"), - - dbus bind - bus="session" name="org.kde.StatusNotifierItem-*", - - dbus bind - bus="session" name="org.mpris.MediaPlayer2.vlc{,.instance*}", - - owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, - owner @{run}/user/*/dconf/user rw, - profile xdg-screensaver { include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index 4285ad4d..32d5b102 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/polkit-agent-helper-[0-9] profile polkit-agent-helper @{exec_path} { include + include include include include @@ -28,6 +29,16 @@ profile polkit-agent-helper @{exec_path} { signal (receive) set=(term, kill) peer=gnome-shell, signal (receive) set=(term, kill) peer=pkexec, + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=AuthenticationAgentResponse2 + peer=(name=:*), + @{exec_path} mr, # file_inherit @@ -36,17 +47,5 @@ profile polkit-agent-helper @{exec_path} { @{run}/faillock/[a-zA-z0-9]* rwk, - # DBus - @{run}/dbus/system_bus_socket rw, - - dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="AuthenticationAgentResponse2" peer=(name=":*"), - include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index cef1ed60..b743426b 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,25 +11,44 @@ include @{exec_path} += @{libexec}/polkitd profile polkitd @{exec_path} { include + include include - capability setuid, capability setgid, - capability sys_ptrace, + capability setuid, capability sys_nice, + capability sys_ptrace, audit deny capability net_admin, ptrace (read), - @{exec_path} mr, + dbus (send) bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName} + peer=(name=org.freedesktop.DBus), - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]{,/**} + interface=org.freedesktop.PolicyKit[0-9]{,.**} + peer=(name="{org.freedesktop.DBus,:*}"), # all members + + dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=system path=/org/gnome/PolicyKit[0-9]/AuthenticationAgent + interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent + peer=(name=:*), # all members + + dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent,AuthenticationAgentResponse2} + peer=(name=:*), + + dbus (bind) bus=system + name=org.freedesktop.PolicyKit[0-9], + + @{exec_path} mr, /etc/machine-id r, @@ -54,29 +73,16 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + # Silencer deny /.cache/ rw, - # DBus - dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,AddMatch,RemoveMatch,Hello,RequestName}" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1{,/**}" interface="org.freedesktop.PolicyKit1{,.**}" peer=(name="{org.freedesktop.DBus,:*}"), - - dbus send - bus="system" path="/org/gnome/PolicyKit1/AuthenticationAgent" interface="org.freedesktop.PolicyKit1.AuthenticationAgent" peer=(name=":*"), - - dbus receive - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2}" peer=(name=":*"), - - dbus bind - bus="system" name="org.freedesktop.PolicyKit1", - - @{run}/dbus/system_bus_socket rw, - include if exists } diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 7f29301c..5ad67ae7 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -11,25 +11,26 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, - capability syslog, capability sys_ptrace, + capability syslog, ptrace (read), + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/fuser rix, - network inet dgram, - network inet6 dgram, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/unix r, + owner @{PROC}/@{pid}/stat r, @{PROC}/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/maps r, @{PROC}/swaps r, include if exists -} +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 9033252a..9d8baf1e 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,29 +12,53 @@ profile pkexec @{exec_path} flags=(complain) { include include include + include include include signal (send) set=(term, kill) peer=polkit-agent-helper, - capability sys_ptrace, capability audit_write, capability dac_read_search, - - # gdbus - capability setgid, - # gmain - capability setuid, - - # Needed? - deny capability sys_nice, + capability setgid, # gdbus + capability setuid, # gmain + capability sys_ptrace, + audit deny capability sys_nice, ptrace (read), network netlink raw, + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={EnumerateActions,CheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent} + peer=(name=:*), + + dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]*/Authority + interface=org.freedesktop.PolicyKit[0-9]*.Authority + member=Changed + peer=(name=:*), + + dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]*/AuthenticationAgent + interface=org.freedesktop.PolicyKit[0-9]*.AuthenticationAgent + member=BeginAuthentication + peer=(name=:*), + @{exec_path} mr, + # Apps to be run via pkexec + /{usr/,}{s,}bin/* rPUx, + @{libexec}/gvfs/gvfsd-admin rPUx, #(#FIXME#) + @{libexec}/polkit-agent-helper-[0-9] rPx, + @{libexec}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + /{usr/,}lib/update-notifier/package-system-locked rPx, + /usr/share/apport/apport-gtk rPx, + /etc/shells r, /etc/environment r, /etc/default/locale r, @@ -42,28 +67,9 @@ profile pkexec @{exec_path} flags=(complain) { @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/fd/ r, - # Apps to be run via pkexec - /{usr/,}{s,}bin/* rPUx, - /{usr/,}bin/* rPUx, - /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) - /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/update-notifier/package-system-locked rPx, - # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - # DBus stricter - @{run}/dbus/system_bus_socket rw, - - dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="{GetAll,CheckAuthorization}" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name=":*"), - include if exists }