From 3c1a201e4aa644c5b2153f257e6e14d670f06fcd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Aug 2021 15:38:14 +0100 Subject: [PATCH] Initial pacman profiles. --- apparmor.d/groups/pacman/pacman | 119 ++++++++++++++++++ apparmor.d/groups/pacman/pacman-hook-dconf | 22 ++++ apparmor.d/groups/pacman/pacman-hook-depmod | 19 +++ apparmor.d/groups/pacman/pacman-hook-dkms | 16 +++ .../groups/pacman/pacman-hook-fontconfig | 23 ++++ apparmor.d/groups/pacman/pacman-hook-gio | 22 ++++ apparmor.d/groups/pacman/pacman-hook-gtk | 33 +++++ .../pacman/pacman-hook-mkinitcpio-install | 38 ++++++ .../pacman/pacman-hook-mkinitcpio-remove | 32 +++++ apparmor.d/groups/pacman/pacman-hook-perl | 30 +++++ apparmor.d/groups/pacman/pacman-hook-systemd | 39 ++++++ apparmor.d/groups/pacman/pacman-key | 11 +- 12 files changed, 403 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/pacman/pacman create mode 100644 apparmor.d/groups/pacman/pacman-hook-dconf create mode 100644 apparmor.d/groups/pacman/pacman-hook-depmod create mode 100644 apparmor.d/groups/pacman/pacman-hook-dkms create mode 100644 apparmor.d/groups/pacman/pacman-hook-fontconfig create mode 100644 apparmor.d/groups/pacman/pacman-hook-gio create mode 100644 apparmor.d/groups/pacman/pacman-hook-gtk create mode 100644 apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install create mode 100644 apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove create mode 100644 apparmor.d/groups/pacman/pacman-hook-perl create mode 100644 apparmor.d/groups/pacman/pacman-hook-systemd diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman new file mode 100644 index 00000000..0ebc5d20 --- /dev/null +++ b/apparmor.d/groups/pacman/pacman @@ -0,0 +1,119 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/pacman +profile pacman @{exec_path} { + include + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability net_admin, + capability setfcap, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + unix (receive) type=stream, + + @{exec_path} mr, + + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + /{usr/,}{s,}bin/ldconfig rix, + /{usr/,}bin/{,ba}sh rix, + + # Pacman hooks & install scripts + /{usr/,}bin/arch-audit rPx, + /{usr/,}bin/bootctl rPx, + /{usr/,}bin/env rix, + /{usr/,}bin/fc-cache rPx, + /{usr/,}bin/gdk-pixbuf-query-loaders rPx, + /{usr/,}bin/glib-compile-schemas rPx, + /{usr/,}bin/gtk-query-immodules-3.0 rPx, + /{usr/,}bin/install-info rPx, + /{usr/,}bin/killall rPx, + /{usr/,}bin/pacdiff rPx, + /{usr/,}bin/sysctl rPx, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/update-ca-trust rPx, + /{usr/,}bin/update-desktop-database rPx, + /{usr/,}bin/update-mime-database rPx, + /{usr/,}bin/vercmp rix, + /{usr/,}lib/dkms/alpm-hook rPx, + /{usr/,}lib/ghc-*/bin/ghc-pkg rix, + /{usr/,}lib/systemd/systemd-* rPx, + /{usr/,}lib/vlc/vlc-cache-gen rPx, + /usr/share/libalpm/scripts/* rPx, + + # Install/update packages + / r, + /boot/{,**} rwl, + /etc/{,**} rwl, + /opt/{,**} rwl, + /srv/{,**} rwl, + /usr/{,**} rwl, + /var/{,**} rwl, + + # Read packages files + @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, + + owner /var/lib/pacman/{,**} rwl, + owner /tmp/alpm_*/{,**} rw, + owner /tmp/checkup-db-[0-9]*/sync/*.db.part rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/environ r, + + @{run}/utmp rk, + + # Silencer, + deny /tmp/ r, + deny @{HOME}/ r, + deny @{HOME}/@{XDG_PROJECTS_DIR}/** r, + + profile gpg { + include + + capability dac_read_search, + + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpgsm mr, + + /{usr/,}bin/dirmngr rix, + /{usr/,}bin/gpg-agent rix, + /{usr/,}bin/gpg-connect-agent rix, + + @{HOME}/@{XDG_GPG_DIR}/*.conf r, + + owner /etc/pacman.d/gnupg/ rw, + owner /etc/pacman.d/gnupg/** rwkl, + } + + include if exists +} diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf new file mode 100644 index 00000000..45f68e70 --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/dconf-update +profile pacman-hook-dconf @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/bash rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/dconf rPx, + + /etc/dconf/db/{,**} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod new file mode 100644 index 00000000..58362411 --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/depmod +profile pacman-hook-depmod @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/bash rix, + /{usr/,}bin/depmod rPx, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms new file mode 100644 index 00000000..412ee4d9 --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/dkms/alpm-hook +profile pacman-hook-dkms @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig new file mode 100644 index 00000000..31d383bd --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/40-fontconfig-config +profile pacman-hook-fontconfig @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/bash rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/rm rix, + + /etc/fonts/conf.d/* rwl, + /usr/share/fontconfig/conf.default/* r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio new file mode 100644 index 00000000..93bb3aba --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/gio-querymodules +profile pacman-hook-gio @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/bash rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/gio-querymodules rPx, + + /{usr/,}lib/gio/modules/{,**} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk new file mode 100644 index 00000000..e110ded4 --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/gtk-update-icon-cache +profile pacman-hook-gtk @{exec_path} { + include + + capability dac_read_search, + + @{exec_path} mr, + + /{usr/,}bin/bash rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + + /{usr/,}bin/gtk-update-icon-cache rPx, + /{usr/,}bin/gtk4-update-icon-cache rPx, + + /usr/share/icons/{,**} rw, + + /dev/tty rw, + + # Inherit Silencer + deny network inet6 stream, + deny network inet stream, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install new file mode 100644 index 00000000..aca89e4c --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install +profile pacman-hook-mkinitcpio-install @{exec_path} { + include + + capability dac_read_search, + capability mknod, + + @{exec_path} mr, + + /{usr/,}bin/bash rix, + /{usr/,}bin/compgen rix, + /{usr/,}bin/install rix, + /{usr/,}bin/mkinitcpio rPx, + /{usr/,}bin/mv rix, + /{usr/,}bin/sed rix, + + /usr/share/mkinitcpio/*.preset r, + + /etc/mkinitcpio.d/{,**} r, + + owner /boot/vmlinuz-* rw, + + /dev/tty rw, + + # Inherit Silencer + deny network inet6 stream, + deny network inet stream, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove new file mode 100644 index 00000000..dcd663fb --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-remove +profile pacman-hook-mkinitcpio-remove @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/bash rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + + /usr/share/mkinitcpio/*.preset r, + + /boot/vmlinuz-* rw, + /boot/initramfs-*.img rw, + /boot/initramfs-*-fallback.img rw, + + /dev/tty rw, + + # Inherit Silencer + deny network inet6 stream, + deny network inet stream, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl new file mode 100644 index 00000000..3f8a7ae1 --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh +profile pacman-hook-perl @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/perl rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/find rix, + /{usr/,}bin/pacman rPx, + /{usr/,}bin/sed rix, + + /{usr/,}lib/perl[0-9]*/{,**} r, + + /dev/tty rw, + + # Inherit silencer + deny network inet6 stream, + deny network inet stream, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd new file mode 100644 index 00000000..4c8ae2e7 --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/libalpm/scripts/systemd-hook +profile pacman-hook-systemd @{exec_path} { + include + + capability dac_read_search, + + @{exec_path} mr, + + /{usr/,}bin/bash rix, + /{usr/,}bin/touch rix, + + /{usr/,}bin/journalctl rPx, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemd-binfmt rPx, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/systemd-hwdb rPx, + /{usr/,}bin/systemd-sysctl rPx, + /{usr/,}bin/systemd-sysusers rPx, + /{usr/,}bin/systemd-tmpfiles rPx, + /{usr/,}bin/udevadm rPx, + + /usr/ rw, + + /dev/tty rw, + + # Inherit silencer + deny network inet6 stream, + deny network inet stream, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 893ad924..734714b7 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -14,7 +14,7 @@ profile pacman-key @{exec_path} { /{usr/,}bin/basename rix, /{usr/,}bin/gettext rix, - /{usr/,}bin/gpg rUx, + /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/pacman-conf rPx, /{usr/,}bin/tput rix, @@ -23,5 +23,14 @@ profile pacman-key @{exec_path} { /dev/tty rw, + profile gpg { + include + + /{usr/,}bin/gpg mr, + + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl, + } + include if exists }