From 37dd97a87519395e50be81f558d233d011adaa4a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 7 Feb 2023 23:15:18 +0000 Subject: [PATCH] feat(profiles): a the XDG_IMG_DIR and user_img_dirs variables --- apparmor.d/groups/gvfs/gvfsd-archive | 4 +-- apparmor.d/profiles-a-f/blkid | 16 +++++------ apparmor.d/profiles-a-f/btrfs | 5 +--- apparmor.d/profiles-a-f/btrfs-find-root | 6 ++-- apparmor.d/profiles-a-f/btrfs-image | 10 +++---- apparmor.d/profiles-a-f/btrfs-map-logical | 6 ++-- apparmor.d/profiles-a-f/cfdisk | 22 +++++++-------- apparmor.d/profiles-a-f/cgdisk | 6 ++-- apparmor.d/profiles-a-f/dumpe2fs | 10 +++---- apparmor.d/profiles-a-f/e2fsck | 5 +--- apparmor.d/profiles-a-f/e2image | 10 +++---- apparmor.d/profiles-a-f/fdisk | 14 ++++------ apparmor.d/profiles-a-f/fsck-fat | 6 ++-- apparmor.d/profiles-a-f/fuseiso | 34 ++++++++++------------- apparmor.d/profiles-g-l/gdisk | 10 +++---- apparmor.d/profiles-g-l/hdparm | 10 +++---- apparmor.d/profiles-m-r/mke2fs | 18 ++++++------ apparmor.d/profiles-m-r/mkfs-btrfs | 12 ++++---- apparmor.d/profiles-m-r/mkfs-fat | 10 +++---- apparmor.d/profiles-m-r/mount | 5 +--- apparmor.d/profiles-m-r/mtools | 6 ++-- apparmor.d/profiles-m-r/parted | 34 ++++++++++------------- apparmor.d/profiles-m-r/resize2fs | 10 +++---- apparmor.d/profiles-s-z/sfdisk | 10 +++---- apparmor.d/profiles-s-z/sgdisk | 10 +++---- apparmor.d/profiles-s-z/tune2fs | 16 +++++------ apparmor.d/profiles-s-z/virt-manager | 5 +--- apparmor.d/tunables/xdg-user-dirs | 2 ++ docs/variables.md | 2 ++ 29 files changed, 126 insertions(+), 188 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index a4cdfb1b..9760e9c8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -19,9 +19,7 @@ profile gvfsd-archive @{exec_path} { owner @{MOUNTS}/**.{TAR,TAR.GZ,ZIP} r, owner @{HOME}/**.{tar,tar.gz,zip} r, - owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, + owner @{user_img_dirs}/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 390d8687..bf940e95 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -19,23 +19,21 @@ profile blkid @{exec_path} { /etc/blkid.conf r, + # When the system doesn't have the /run/ dir, the cache file is placed under /etc/ + @{etc_rw}/blkid.tab{,-*} rw, + @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab, + + # Image files + @{user_img_dirs}/{,**} r, + # The standard location of the cache file # Without owner here if this tool should be used as a regular user @{run}/blkid/ rw, @{run}/blkid/blkid.tab{,-*} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - # When the system doesn't have the /run/ dir, the cache file is placed under /etc/ - @{etc_rw}/blkid.tab{,-*} rw, - @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab, # For the EVALUATE=scan method @{PROC}/partitions r, - # Image files - @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, - @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index f1053e2a..f2f445df 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -33,10 +33,7 @@ profile btrfs @{exec_path} { @{MOUNTS}/*/ext2_saved/image rw, # To be able to manage btrfs volumes - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, # For fsck of the btrfs filesystem directly from gparted owner /tmp/gparted-*/ rw, diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root index 5eb562f7..8819f908 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,10 +15,7 @@ profile btrfs-find-root @{exec_path} { @{exec_path} mr, # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image index 3aecf3be..8dfa0db9 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,13 +14,10 @@ profile btrfs-image @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pid}/mounts r, - # Image files - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, + + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical index 81d28128..e1948f11 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,10 +15,7 @@ profile btrfs-map-logical @{exec_path} { @{exec_path} mr, # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index deb4be1a..eb577f02 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,23 +16,20 @@ profile cfdisk @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pid}/mountinfo r, - @{PROC}/partitions r, - /etc/fstab r, - owner @{run}/blkid/blkid.tab{,-*} rw, - owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - - # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - # A place for backups owner @{HOME}/**.{bak,back} rwk, owner @{MOUNTS}/**.{bak,back} rwk, + # A place for file images + owner @{user_img_dirs}/{,**} rwk, + + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + + @{PROC}/partitions r, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index a94b85bd..f2357d35 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -16,10 +17,7 @@ profile cgdisk @{exec_path} { @{exec_path} mr, # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, # A place for backups owner @{HOME}/**.{bak,back} rwk, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 8e7ee6bc..15e46710 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,14 +15,11 @@ profile dumpe2fs @{exec_path} { @{exec_path} mr, + # Image files + owner @{user_img_dirs}/{,**} r, + owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - # Image files - @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, - @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 0932351b..c9c50490 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -25,10 +25,7 @@ profile e2fsck @{exec_path} { /usr/share/file/misc/magic.mgc r, # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, @{run}/blkid/ rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index 7cd9ebe2..3216a4db 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,14 +15,11 @@ profile e2image @{exec_path} { @{exec_path} mr, + # A place for the metadata image file + owner @{user_img_dirs}/{,**} rwk, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, - # A place for the metadata image file - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - include if exists } diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index 5c0f9769..a7b993c5 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,19 +22,16 @@ profile fdisk @{exec_path} { @{exec_path} mr, - @{PROC}/partitions r, - /etc/terminal-colors.d/fdisk.disable r, - # For disk images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - # For backups owner @{HOME}/**.{bak,back} rwk, owner @{MOUNTS}/**.{bak,back} rwk, + # For disk images + owner @{user_img_dirs}/{,**} rwk, + + @{PROC}/partitions r, + include if exists } diff --git a/apparmor.d/profiles-a-f/fsck-fat b/apparmor.d/profiles-a-f/fsck-fat index d17e06e2..c35f0004 100644 --- a/apparmor.d/profiles-a-f/fsck-fat +++ b/apparmor.d/profiles-a-f/fsck-fat @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,10 +16,7 @@ profile fsck-fat @{exec_path} { @{exec_path} mr, # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index 3dccb5c7..c7372c32 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +12,11 @@ profile fuseiso @{exec_path} { include include + # Be able to mount ISO images + mount fstype=fuse.fuseiso -> @{HOME}/*/, + mount fstype=fuse.fuseiso -> @{HOME}/*/*/, + mount fstype=fuse.fuseiso -> @{HOME}/.cache/**/, + @{exec_path} mr, /{usr/,}bin/fusermount{,3} rCx -> fusermount, @@ -20,22 +26,13 @@ profile fuseiso @{exec_path} { owner @{HOME}/*/*/ rw, owner @{HOME}/.cache/**/ r, - # Be able to mount ISO images - mount fstype=fuse.fuseiso -> @{HOME}/*/, - mount fstype=fuse.fuseiso -> @{HOME}/*/*/, - mount fstype=fuse.fuseiso -> @{HOME}/.cache/**/, - - # Image files to be mounted - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{HOME}/.mtab.fuseiso rwk, owner @{HOME}/.mtab.fuseiso.new rw, - /dev/fuse rw, + # Image files to be mounted + owner @{user_img_dirs}/{,**} rwk, + /dev/fuse rw, profile fusermount { include @@ -46,23 +43,20 @@ profile fuseiso @{exec_path} { capability dac_read_search, - /{usr/,}bin/fusermount{,3} mr, - mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/.cache/**/, - /dev/fuse rw, + /{usr/,}bin/fusermount{,3} mr, /etc/fuse.conf r, + # Image files to be mounted + owner @{user_img_dirs}/{,**} r, + @{PROC}/@{pid}/mounts r, - # Image files to be mounted - owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, + /dev/fuse rw, } diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 2b501e69..5fdb1da0 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -22,15 +23,12 @@ profile gdisk @{exec_path} { @{exec_path} mr, - # For disk images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - # For backups owner @{HOME}/**.{bak,back} rwk, owner @{MOUNTS}/**.{bak,back} rwk, + # For disk images + owner @{user_img_dirs}/{,**} rwk, + include if exists } diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 7c0748a3..2c8878e6 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -25,14 +26,11 @@ profile hdparm @{exec_path} flags=(complain) { /etc/hdparm.conf r, + # Image files + owner @{user_img_dirs}/{,**} r, + # for hdparm --fibmap @{PROC}/devices r, - # Image files - @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, - @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, - include if exists } diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index cda680dc..a42c2dc7 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -24,20 +25,17 @@ profile mke2fs @{exec_path} { /etc/mke2fs.conf r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/swaps r, - - owner @{run}/blkid/blkid.tab{,-*} rw, - owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, # For virt-resize owner /var/tmp/.guestfs-[0-9]*/** rwk, + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index 191bb035..bdf210bb 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,16 +18,13 @@ profile mkfs-btrfs @{exec_path} { /dev/btrfs-control rw, + # A place for file images + owner @{user_img_dirs}/{,**} rwk, + @{run}/blkid/blkid.* rw, - owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, - - # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat index 441dc271..e89971d6 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,13 +15,10 @@ profile mkfs-fat @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pid}/mounts r, - # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, + + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 01473d6e..25231eaf 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -52,10 +52,7 @@ profile mount @{exec_path} flags=(complain) { /media/cdrom[0-9]/ r, # Mount iso/img files - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index c0a59bcf..5f717544 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -24,10 +25,7 @@ profile mtools @{exec_path} { owner @{HOME}/.mtoolsrc r, # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk, /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index eeb46bdf..5ee1a859 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,21 +34,17 @@ profile parted @{exec_path} { /{usr/,}{s,}bin/dmidecode rPx, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/swaps r, - @{PROC}/devices r, - - /dev/mapper/ r, - /dev/mapper/control rw, - /etc/inputrc r, # Image files - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, + @{PROC}/devices r, + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, + + /dev/mapper/ r, + /dev/mapper/control rw, profile udevadm { include @@ -58,21 +55,18 @@ profile parted @{exec_path} { /etc/udev/udev.conf r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, # file_inherit include # lots of files in this abstraction get inherited - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{user_img_dirs}/{,**} rwk, } diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index c33b3cd1..82b7fab2 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -19,14 +20,11 @@ profile resize2fs @{exec_path} { / r, /.ismount-test-file rw, + # A place for file images + owner @{user_img_dirs}/{,**} rwk, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, - # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - include if exists } diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 75622a31..22a9a85b 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -22,15 +23,12 @@ profile sfdisk @{exec_path} { @{exec_path} mr, - # For disk images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - # For backups owner @{HOME}/**.{bak,back} rwk, owner @{MOUNTS}/*/**.{bak,back} rwk, + # For disk images + owner @{user_img_dirs}/{,**} rwk, + include if exists } diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index d844317f..b295e992 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -22,15 +23,12 @@ profile sgdisk @{exec_path} { @{exec_path} mr, - # For disk images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - # For backups owner @{HOME}/**.{bak,back} rwk, owner @{MOUNTS}/**.{bak,back} rwk, + # For disk images + owner @{user_img_dirs}/{,**} rwk, + include if exists } diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 120be844..d886b8ec 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,27 +12,24 @@ profile tune2fs @{exec_path} { include include include - include include + include network inet stream, network inet6 stream, @{exec_path} mr, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/swaps r, - /.ismount-test-file rw, + # Image files + owner @{user_img_dirs}/{,**} rw, + owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - # Image files - @{HOME}/**.{iso,img,bin,mdf,nrg} rw, - @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rw, - @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw, - @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rw, + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 8bddcd19..000263db 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -72,10 +72,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # For disk images @{MOUNTS}/ r, - @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, - @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, + @{user_img_dirs}/{,**} r, # System VM images /var/lib/libvirt/images/{,**} rw, diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs index 9f2f213a..d33a2994 100644 --- a/apparmor.d/tunables/xdg-user-dirs +++ b/apparmor.d/tunables/xdg-user-dirs @@ -30,6 +30,7 @@ @{XDG_GAMES_DIR}=".games" @{XDG_VM_DIR}=".vm" @{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" +@{XDG_IMG_DIR}="images" # User personal keyrings @{XDG_SSH_DIR}=".ssh" @@ -55,6 +56,7 @@ @{user_build_dirs}="/tmp/" @{user_pkg_dirs}="/tmp/pkg/" @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ +@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} diff --git a/docs/variables.md b/docs/variables.md index 5b37ea19..9dff8a73 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -23,6 +23,7 @@ title: Variables References | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Vm | `@{XDG_VM_DIR}` | `.vm` | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | +| Disk images | `@{XDG_IMG_DIR}` | `images` | ### Dotfiles @@ -67,6 +68,7 @@ title: Variables References | Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | Password | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | ## System variables