From 40abc982013cdff5816ee12c52f5b6e485bcaf8c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 May 2024 18:16:12 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/app/chromium | 6 +++--- .../abstractions/bus/org.freedesktop.RealtimeKit1 | 6 +++--- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gjs-console | 5 ----- .../groups/gnome/gnome-remote-desktop-daemon | 2 ++ apparmor.d/groups/gnome/gnome-shell | 7 +++---- apparmor.d/groups/gnome/gnome-software | 4 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gvfs/gvfsd-trash | 2 +- .../groups/pacman/archlinux-keyring-wkd-sync | 4 ++-- apparmor.d/profiles-g-l/kanyremote | 1 + apparmor.d/profiles-m-r/passimd | 2 ++ apparmor.d/profiles-s-z/snap | 14 +------------- apparmor.d/profiles-s-z/spice-vdagent | 6 ++---- apparmor.d/profiles-s-z/ssurl | 4 ++-- apparmor.d/profiles-s-z/vsftpd | 10 ++++------ 17 files changed, 31 insertions(+), 48 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 3b106c6e..34850c02 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -159,14 +159,14 @@ owner @{tmp}/tmp.*/ rw, owner @{tmp}/tmp.*/** rwk, + owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, + /dev/shm/ r, owner /dev/shm/.@{domain}* rw, @{run}/udev/data/c13:@{int} r, # for /dev/input/* - owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, - owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - @{sys}/bus/ r, @{sys}/bus/**/devices/ r, @{sys}/class/**/ r, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index a4008970..9a0fdf9f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -14,17 +14,17 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadRealtime,MakeThreadHighPriority} + member=MakeThread* peer=(name=:*, label=rtkit-daemon), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadRealtime,MakeThreadHighPriority} + member=MakeThread* peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member=MakeThreadRealtimeWithPID + member=MakeThread* peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), include if exists diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index f7219c98..95afc8fc 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -48,7 +48,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts.User label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 292013a5..de2f97e6 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -39,11 +39,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 051f0afd..9c7044d0 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -11,6 +11,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include include include include @@ -19,6 +20,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gnome.RemoteDesktop.User + #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index cf93ebae..7f76ff3f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-shell profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include @@ -20,13 +19,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include - include include include include @@ -89,10 +86,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1.Manager label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* @@ -208,6 +206,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, + / r, /.flatpak-info r, /etc/fstab r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7029d834..259ae8b2 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -29,7 +29,7 @@ profile gnome-software @{exec_path} { @{exec_path} mr, @{bin}/baobab rPUx, - @{bin}/bwrap rPUx, + @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -61,7 +61,7 @@ profile gnome-software @{exec_path} { /var/lib/flatpak/appstream/{,**} r, /var/lib/flatpak/repo/{,**} r, /var/lib/flatpak/runtime/{,**} r, - + /var/lib/PackageKit/offline-update-competed r, /var/lib/PackageKit/prepared-update r, /var/lib/swcatalog/icons/**.png r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 4ef3dcfd..d06d7214 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} { ptrace (read) peer=htop, ptrace (read) peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal + #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 459970b0..c4c22af1 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -18,7 +18,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term) peer=gdm, + signal (receive) set=(hup term) peer=gdm{,-session-worker}, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 56768040..8344c454 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -24,7 +24,7 @@ profile gvfsd-trash @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label=gnome-shell), + peer=(name=:*, label="{gnome-shell,nautilus}"), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 1df0cb15..78fefff1 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -20,11 +20,11 @@ profile archlinux-keyring-wkd-sync @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/dirmngr rix, - @{bin}/gpg{,2} rix, @{bin}/gpg-agent rix, + @{bin}/gpg{,2} rix, @{bin}/pacman-conf rix, /etc/pacman.conf r, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index cf6503be..b9f22923 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -101,6 +101,7 @@ profile kanyremote @{exec_path} { /usr/share/anyremote/{,**} r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 2109f7f8..2ead4d03 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -29,6 +29,8 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /var/lib/passim/{,**} r, /var/lib/passim/data/{,**} rw, + owner /var/log/passim/* rw, + @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 26859829..3d71ce76 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -31,19 +31,7 @@ profile snap @{exec_path} { #aa:dbus own bus=session name=io.snapcraft.Launcher #aa:dbus own bus=session name=io.snapcraft.Settings - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=:*, label="@{p_systemd}"), - dbus receive bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=:*, label="@{p_systemd_user}"), + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index fef063b8..5da32107 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -19,12 +19,10 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include + include include - include - include + include include - include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index a0e1764b..9471ab0a 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -13,8 +13,8 @@ profile ssurl @{exec_path} { include include - capability dac_read_search, - deny capability dac_override, + capability dac_read_search, + capability dac_override, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 727a1792..33915f7c 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -10,13 +10,10 @@ include @{exec_path} = @{bin}/vsftpd profile vsftpd @{exec_path} { include - include - - # Only for local users authentication include - - # For libwrap (TCP Wrapper) support (tcp_wrappers=YES) include + include + include # To be able to listen on ports < 1024 capability net_bind_service, @@ -43,7 +40,8 @@ profile vsftpd @{exec_path} { capability net_admin, capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp - include + + @{exec_path} mr, # To validate allowed users shells /etc/shells r,