diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 72fbbf9b..dbfca0ee 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -43,8 +43,8 @@ #owner @{HOME}/orcexec.* mrw, /{usr/,}lib/frei0r-[0-9]/*.so mr, - /{usr/,}lib/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, - /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, + /{usr/,}lib{,exec}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, + /{usr/,}lib{,exec}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, /{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr, /{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr, /{usr/,}lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index be777ebd..ef0156cd 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -41,11 +41,12 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd rPx, @{libexec}/* rPUx, @{libexec}/gnome-shell/gnome-shell-calendar-server rPx, + @{libexec}/kf5/kiod5 rPUx, /{usr/,}bin/ r, /{usr/,}bin/[a-z0-9]* rPUx, + /{usr/,}lib{,exec}/dbus-1.0/dbus-daemon-launch-helper rPx, /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, - /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}lib/telepathy/mission-control-5 rPx, /usr/share/gnome-documents/org.gnome.Documents rPx, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index c45f9a9d..24ad8a89 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -17,6 +17,7 @@ profile cron @{exec_path} { capability audit_write, capability dac_read_search, + capability net_admin, capability setgid, capability setuid, capability sys_resource, @@ -35,7 +36,6 @@ profile cron @{exec_path} { /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, /{usr/,}lib/sysstat/debian-sa1 rPUx, /usr/share/rsync/scripts/rrsync rPUx, - /usr/local/lib/pki/pki-realm rPUx, # TODO: FIXME: NO COMMIT ZENFRA ONLY /etc/cron.d/{,*} r, /etc/crontab r, @@ -54,5 +54,7 @@ profile cron @{exec_path} { owner @{PROC}/@{pid}/loginuid rw, @{PROC}/1/limits r, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 759f0583..e8151475 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -39,6 +39,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, + owner /tmp/runtime-cb/xauth_?????? r, + owner @{run}/user/@{uid}/gdm/Xauthority r, /var/lib/lightdm/.Xauthority r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 04a64722..ae5e5597 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -89,6 +89,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, + owner /tmp/runtime-cb/xauth_?????? r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 1aac6db9..dd5b2684 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -18,11 +18,11 @@ profile pulseaudio @{exec_path} { include include include + include include include include include - include ptrace (trace) peer=@{profile_name}, @@ -140,12 +140,13 @@ profile pulseaudio @{exec_path} { owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, + owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, - /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, - /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/pulse/{,*} rw, @@ -167,6 +168,9 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, + /dev/media[0-9]* r, + /dev/video[0-9]* rw, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 9a08abeb..3fd33bb7 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -111,6 +111,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/nautilus rPx, /{usr/,}bin/snap rPx, + /{usr/,}bin/kreadconfig5 rPUx, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, /{usr/,}lib/gio-launch-desktop rPx -> child-open, /{usr/,}lib/xdg-desktop-portal-validate-icon rPUx, @@ -142,5 +143,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pids}/cgroup r, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 7642f66b..c127a1f5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,15 +9,18 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include - include + include include include - include include + include + include include include include include + include + include include include include @@ -153,10 +156,14 @@ profile xdg-desktop-portal-gtk @{exec_path} { / r, + owner /var/lib/xkb/server-[0-9]*.xkm rw, + owner @{HOME}/ r, owner @{HOME}/.* r, owner @{HOME}/@{XDG_DATA_HOME}/ r, + owner /tmp/runtime-cb/xauth_?????? r, + @{run}/mount/utab r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index e71b988c..bb26c8fd 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -22,14 +22,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) { include include + capability ipc_owner, capability setgid, capability setuid, capability sys_admin, - # These can be denied. - #deny capability dac_override, - #deny capability sys_rawio, - # deny capability sys_nice, + # These can be denied? + #audit capability dac_override, + #audit capability sys_rawio, + #audit capability sys_nice, #capability sys_tty_config, signal (send) set=(usr1), @@ -64,6 +65,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/xorg/modules/** mr, /var/lib/xkb/server-[0-9]*.xkm rw, + /var/lib/xkb/compiled/server-[0-9]*.xkm rw, /usr/share/egl/{,**} rw, /usr/share/libinput*/ r, diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index f22b7965..77c8bc2d 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,11 +13,13 @@ profile xprop @{exec_path} { @{exec_path} mr, - owner @{HOME}/.Xauthority r, - - owner @{HOME}/.icons/default/index.theme r, /usr/share/icons/*/cursors/crosshair r, + owner @{HOME}/.Xauthority r, + owner @{HOME}/.icons/default/index.theme r, + + owner /tmp/runtime-cb/xauth_?????? r, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index b540380a..9001ed0a 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -17,7 +17,7 @@ profile xrdb @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, /{usr/,}bin/cpp rix, - /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, + /{usr/,}lib{,32,64}/gcc/@{multiarch}/[0-9]*/cc1 rix, /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, @@ -30,8 +30,9 @@ profile xrdb @{exec_path} { owner @{user_config_dirs}/Xresources/.Xresources r, owner @{user_config_dirs}/Xresources/* r, - owner /tmp/xauth-[0-9]*-_[0-9] r, owner /tmp/kcminit.* r, + owner /tmp/runtime-cb/xauth_?????? r, + owner /tmp/xauth-[0-9]*-_[0-9] r, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 416ab990..fb9e5073 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -16,6 +16,8 @@ profile gpgsm @{exec_path} { @{exec_path} mr, + /usr/share/gnupg/* r, + /etc/gcrypt/hwf.deny r, deny /usr/bin/.gnupg/ w, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 611e4c17..a730a6dc 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -24,6 +24,8 @@ profile scdaemon @{exec_path} { owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw, + owner /var/tmp/zypp.??????/zypp-trusted-*/S.scdaemon w, + @{PROC}/@{pid}/task/@{tid}/comm rw, @{sys}/devices/pci[0-9]*/**/bConfigurationValue r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 79ad69aa..f20f3fb9 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -26,6 +26,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /{usr/,}{s,}bin/netconfig rPUx, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/basename rix, /{usr/,}bin/chronyc rPUx, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 259e678e..0d2365a6 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -27,21 +27,22 @@ profile ssh @{exec_path} { /{usr/,}bin/{,b,d,rb}ash rix, /{usr/,}bin/{c,k,tc,z}sh rix, - owner @{PROC}/@{pid}/fd/ r, + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/ r, + owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, + owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, + owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - /etc/ssh/ssh_config r, - /etc/ssh/ssh_config.d/{,*} r, - owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/kwalletd5 b/apparmor.d/profiles-g-l/kwalletd5 index 9cd52cf5..5fbd0dda 100644 --- a/apparmor.d/profiles-g-l/kwalletd5 +++ b/apparmor.d/profiles-g-l/kwalletd5 @@ -20,6 +20,7 @@ profile kwalletd5 @{exec_path} { include include include + include include include @@ -29,18 +30,23 @@ profile kwalletd5 @{exec_path} { /{usr/,}bin/gpg{,2} rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - /usr/share/hwdata/pnp.ids r, + /usr/share/icu/72.1/icudt72l.dat r, + /usr/share/qt5/qtlogging.ini r, /usr/share/qt5ct/** r, - /var/lib/dbus/machine-id r, /etc/machine-id r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_share_dirs}/kwalletd/ rw, @@ -50,6 +56,7 @@ profile kwalletd5 @{exec_path} { owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw, owner /tmp/kwalletd5.* rw, + owner /tmp/runtime-cb/xauth_?????? r, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index d4a3d70d..3b7d235d 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -22,6 +22,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, /usr/share/misc/pci.ids.gz r, + /usr/share/pci.ids r, /etc/modprobe.d/{,*.conf} r, /etc/udev/hwdb.bin r, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 7ae7ffd1..e9112b2e 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -33,9 +33,9 @@ profile lvm @{exec_path} { @{sys}/class/ r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, - @{PROC}/devices r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, + @{PROC}/devices r, owner @{PROC}/@{pid}/mounts r, /dev/**/ r, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 94a89dfa..cf4b8005 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -47,11 +47,14 @@ profile su @{exec_path} { /{usr/,}bin/{c,k,tc,z}sh rUx, /{usr/,}{s,}bin/nologin rPx, - /etc/default/locale r, + @{etc_ro}/default/su r, @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/ r, + @{etc_ro}/security/limits.d/{,*.conf} r, + /etc/default/locale r, /etc/shells r, + owner@{HOME}/.xauth?????? rw, + owner @{PROC}/@{pids}/loginuid r, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 71388754..51a9f8f6 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -16,6 +16,11 @@ profile xauth @{exec_path} { /Xauthority-c w, + owner @{HOME}/.xauth?????? rw, + owner @{HOME}/.xauth??????-c w, + owner @{HOME}/.xauth??????-l wl, + owner @{HOME}/.xauth??????-n rw, + owner @{HOME}/.Xauthority-c w, owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c, owner @{HOME}/.Xauthority-n rw, @@ -26,5 +31,8 @@ profile xauth @{exec_path} { owner /tmp/serverauth.*-n rw, owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, + owner @{run}/run/user/@{uid}/xauth_?????? r, + owner /tmp/runtime-cb/xauth_?????? r, + include if exists }