From 3f688be7a075546e8a94391fbf72ff4ebe91f0ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 30 May 2024 21:03:39 +0100 Subject: [PATCH] feat(profile): general update. --- .../groups/freedesktop/xdg-permission-store | 10 +-- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gjs-console | 4 +- .../gnome/gnome-calculator-search-provider | 5 +- apparmor.d/groups/gnome/gnome-characters | 5 +- .../gnome/gnome-control-center-print-renderer | 2 + apparmor.d/groups/gnome/gnome-shell | 55 +++++++++++- apparmor.d/groups/gvfs/gvfsd-wsdd | 7 ++ apparmor.d/profiles-a-f/anyremote | 84 ++++++++----------- apparmor.d/profiles-g-l/ganyremote | 38 +++------ apparmor.d/profiles-s-z/spotify | 6 ++ 11 files changed, 122 insertions(+), 96 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 0057ddeb..088561f3 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -28,11 +28,11 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw, owner @{desktop_share_dirs}/flatpak/ w, - audit owner @{desktop_share_dirs}/flatpak/db/ rw, - audit owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, - audit owner @{desktop_share_dirs}/flatpak/db/background rw, - audit owner @{desktop_share_dirs}/flatpak/db/devices r, - audit owner @{desktop_share_dirs}/flatpak/db/notifications rw, + owner @{desktop_share_dirs}/flatpak/db/ rw, + owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, + owner @{desktop_share_dirs}/flatpak/db/background rw, + owner @{desktop_share_dirs}/flatpak/db/devices r, + owner @{desktop_share_dirs}/flatpak/db/notifications rw, owner @{user_share_dirs}/flatpak/ w, owner @{user_share_dirs}/flatpak/db/ rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 58d05970..2e51b941 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -59,7 +59,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-keyring-daemon rPx, @{etc_ro}/X11/xdm/Xstartup rPUx, - @{lib}/{,gdm/}gdm-{x,wayland}-session rPx -> gdm-session, + @{lib}/{,gdm/}gdm-{x,wayland}-session rpx -> gdm-session, /etc/gdm{3,}/{Pre,Post}Session/Default rix, /etc/gdm{3,}/PostLogin/Default rix, /etc/gdm{3,}/PrimeOff/Default rix, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index de2f97e6..8ed4479a 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -51,8 +51,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/* rPUx, - @{lib}/** rPUx, + @{bin}/* PUx, + @{lib}/** PUx, /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 2c04c721..2bd26ef6 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -17,10 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, - dbus bind bus=session name=org.gnome.Calculator.SearchProvider, - dbus receive bus=session path=/org/gnome/Calculator/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*, label=gnome-shell), + #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2 @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 5900c39f..bc577b10 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -15,10 +15,7 @@ profile gnome-characters @{exec_path} { include include - #aa:dbus own bus=session name=org.gnome.Characters - dbus receive bus=session path=/org/gnome/Characters/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*, label=gnome-shell), + #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 0487cc76..bab6ae3e 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -21,6 +21,8 @@ profile gnome-control-center-print-renderer @{exec_path} { /usr/share/pixmaps/{,**} r, + / r, + owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 45ce4da6..dd58dc81 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -175,10 +175,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, - @{bin}/Xwayland rPx, - @{lib}/polkit-1/polkit* rPx, - @{lib}/* rPUx, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, + @{bin}/unzip rix, + + @{bin}/gjs-console rPx, + @{bin}/glib-compile-schemas rPx, + @{bin}/ibus-daemon rPx, + @{bin}/Xwayland rPx, + @{lib}/mutter-x11-frames rPx, + #aa:exec polkit-agent-helper + + @{sh_path} rCx -> shell, + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, @@ -363,5 +371,44 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/media@{int} rw, /dev/tty@{int} rw, + profile shell flags=(attach_disconnected,mediate_deleted) { + include + + capability sys_ptrace, + + ptrace (read), + + @{sh_path} mr, + + @{bin}/pmap rix, + @{bin}/grep rix, + + @{sys}/devices/system/node/ r, + + @{PROC}/uptime r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, + + /dev/tty rw, + + include if exists + } + + profile open flags=(attach_disconnected,mediate_deleted) { + include + include + + @{lib}/gio-launch-desktop mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + @{lib}/* PUx, + /usr/games/* PUx, + /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4c13c1e1..4c0459cf 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -10,7 +10,14 @@ include profile gvfsd-wsdd @{exec_path} { include + network netlink raw, + @{exec_path} mr, + @{bin}/wsdd rPx, + + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 44a86240..4fa47c61 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -22,31 +22,32 @@ profile anyremote @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cat rix, - @{bin}/rm rix, @{bin}/{,e}grep rix, - @{bin}/cut rix, - @{bin}/id rix, - @{bin}/mv rix, - @{bin}/expr rix, - @{bin}/which{,.debianutils} rix, - @{bin}/head rix, - @{bin}/wc rix, - @{bin}/tr rix, - @{bin}/mkdir rix, - @{bin}/tail rix, @{bin}/{m,g,}awk rix, - @{bin}/sed rix, - @{bin}/md5sum rix, @{bin}/basename rix, - @{bin}/sleep rix, + @{bin}/cat rix, + @{bin}/curl rix, + @{bin}/cut rix, + @{bin}/expr rix, @{bin}/find rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/md5sum rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sleep rix, + @{bin}/tail rix, + @{bin}/tr rix, + @{bin}/wc rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, @{bin}/pgrep rCx -> pgrep, @{lib}/qt5/bin/qdbus rCx -> qdbus, - @{bin}/curl rCx -> curl, + @{bin}/pacmd rPx, @{bin}/pactl rPx, @@ -61,34 +62,30 @@ profile anyremote @{exec_path} { @{bin}/mpv rPx, @{bin}/strawberry rPx, - owner @{tmp}/amarok_covers/ rw, - owner @{tmp}/*.png rw, - - # For shell pwd - owner @{HOME}/ r, - - owner @{HOME}/.anyRemote/{,**} rw, - owner @{HOME}/.anyRemote/imdb-mf.sh rix, - /usr/share/anyremote/{,**} r, /usr/share/anyremote/cfg-data/Utils/*.sh rix, - deny @{PROC}/sys/kernel/osrelease r, - + owner @{HOME}/ r, owner @{HOME}/.Xauthority r, + owner @{HOME}/.anyRemote/{,**} rw, + owner @{HOME}/.anyRemote/imdb-mf.sh rix, + owner @{tmp}/amarok_covers/ rw, + owner @{tmp}/*.png rw, + + deny @{PROC}/sys/kernel/osrelease r, profile imagemagic { include @{bin}/convert-im6.q16 mr, + /usr/share/anyremote/cfg-data/Icons/common/*.png r, + /usr/share/ImageMagick-[0-9]/*.xml rw, /etc/ImageMagick-[0-9]/*.xml r, - - /usr/share/anyremote/cfg-data/Icons/common/*.png r, + owner @{HOME}/.anyRemote/*.png rw, - owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, /tmp/ r, @@ -96,6 +93,7 @@ profile anyremote @{exec_path} { owner @{tmp}/amarok_covers/* rw, owner @{tmp}/magick-* rw, + include if exists } profile killall { @@ -118,40 +116,24 @@ profile anyremote @{exec_path} { # file_inherit owner @{HOME}/.anyRemote/anyremote.stdout w, + include if exists } profile pgrep { include - include + include - signal (send) set=(term, kill), - - @{bin}/pgrep mr, - - # The /proc/ dir and the cmdline have to be radable to avoid pgrep segfault. - @{PROC}/ r, - @{PROC}/@{pids}/cmdline r, - deny @{PROC}/sys/kernel/osrelease r, - - # file_inherit owner @{HOME}/.anyRemote/anyremote.stdout w, + include if exists } - profile curl { - include - include - include - - @{bin}/curl mr, - - } - - profile qdbus { + profile qdbus { include @{lib}/qt5/bin/qdbus mr, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 5f1a56a0..36cb8f90 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -11,14 +11,12 @@ include profile ganyremote @{exec_path} { include include - include - include - include - include + include include - include + include include include + include network inet stream, network inet6 stream, @@ -52,23 +50,18 @@ profile ganyremote @{exec_path} { @{bin}/mpv rPUx, @{bin}/strawberry rPUx, - owner @{HOME}/ r, - owner @{HOME}/.anyRemote/{,*} rw, - /usr/share/anyremote/{,**} r, - - deny @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, + /usr/share/doc/anyremote{,-data}/{,**} r, /etc/fstab r, - # Doc dirs - deny /usr/local/share/ r, - deny /usr/share/ r, - deny /usr/share/doc/ r, - /usr/share/doc/anyremote{,-data}/ r, + owner @{HOME}/ r, + owner @{HOME}/.anyRemote/{,*} rw, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + deny @{PROC}/sys/kernel/osrelease r, profile killall { include @@ -87,21 +80,16 @@ profile ganyremote @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/stat r, + include if exists } profile pgrep { include - include - - @{bin}/pgrep mr, - - # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. - @{PROC}/ r, - @{PROC}/@{pids}/cmdline r, - deny @{PROC}/sys/kernel/osrelease r, + include /usr/share/anyremote/{,**} r, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 3ab0aa9b..ba94636f 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -41,9 +41,15 @@ profile spotify @{exec_path} { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw, + + @{PROC}/pressure/* r, + /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{sys}/class/*/ r, + deny owner @{PROC}/@{pid}/clear_refs w, include if exists }