From 477df29dd5aa7a5708ae206152d01250660c552c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 4 Nov 2021 18:33:25 +0000 Subject: [PATCH] Update profiles. --- apparmor.d/groups/apps/signal-desktop | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/tracker-extract | 4 ++++ apparmor.d/groups/pacman/mkinitcpio | 3 +++ apparmor.d/groups/pacman/pacman | 2 +- .../groups/pacman/pacman-hook-mkinitcpio-install | 3 ++- apparmor.d/groups/pacman/pacman-hook-systemd | 2 +- apparmor.d/groups/systemd/systemd-analyze | 5 ++--- apparmor.d/groups/systemd/systemd-logind | 5 ++--- apparmor.d/groups/systemd/systemd-sysctl | 5 ++++- apparmor.d/profiles-a-f/dkms | 1 + apparmor.d/profiles-g-l/git | 5 ++--- apparmor.d/profiles-m-r/ntfs-3g | 13 +++++++------ .../profiles-s-z/spice-client-glib-usb-acl-helper | 2 ++ apparmor.d/profiles-s-z/sudo | 2 +- apparmor.d/profiles-s-z/virt-manager | 1 + apparmor.d/profiles-s-z/xdg-desktop-portal-gtk | 1 + apparmor.d/profiles-s-z/xdg-permission-store | 3 ++- 19 files changed, 39 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop index af557d24..c2d2f41f 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -99,7 +99,7 @@ profile signal-desktop @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, # No new privs - /{usr/,}bin/xdg-settings rPUx, + /{usr/,}bin/xdg-settings rPx, /{usr/,}bin/getconf rix, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 3a1f2b4e..c7f6af99 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -60,7 +60,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_share_dirs}/backgrounds/{,**} rw, - owner @{user_share_dirs}/gvfs-metadata/home{,-*.log} r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/webkitgtk/{,**} r, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8374e0f2..236b98a1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,6 +56,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/xsessions/{,*.desktop} r, + /opt/*/**/*.png r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 2c8558cf..a0de6223 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/tracker-extract-3 profile tracker-extract @{exec_path} { include + include include include @@ -24,6 +25,8 @@ profile tracker-extract @{exec_path} { /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, + /etc/libva.conf r, + owner /tmp/tracker-extract-3-files.*/{,*} rw, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_share_dirs}/gvfs-metadata/** r, @@ -44,6 +47,7 @@ profile tracker-extract @{exec_path} { @{run}/udev/data/c51[0-9]:* r, /dev/video[0-9]* rw, + /dev/dri/renderD128 rw, include if exists } diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index a9b453e3..abf707ca 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -56,6 +56,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/initcpio/busybox rix, /{usr/,}lib/ld-*.so rix, + /{usr/,}@{multiarch}/ld-*.so rix, + /{usr/,}lib/@{multiarch}/ld-*.so rix, /etc/fstab r, /etc/lvm/lvm.conf r, @@ -68,6 +70,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Can copy any program to the initframs /{usr/,}bin/ r, /{usr/,}bin/[a-z0-9]* rm, + /{usr/,}lib/udev/[a-z0-9]* rm, /{usr/,}lib/systemd/systemd-* rm, # Manage /boot diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 7ef902fb..bacf964e 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -93,7 +93,7 @@ profile pacman @{exec_path} { @{PROC}/ r, @{run}/ r, - @{sys}/ r, + @{sys}/{,**} r, /mnt r, # Read packages files diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install index 1923bbd5..f18699b9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install -profile pacman-hook-mkinitcpio-install @{exec_path} { +profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, @@ -37,6 +37,7 @@ profile pacman-hook-mkinitcpio-install @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny /apparmor/.null rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index d77fb449..3215b35d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -19,12 +19,12 @@ profile pacman-hook-systemd @{exec_path} { /{usr/,}bin/journalctl rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/systemd-binfmt rPx, /{usr/,}bin/systemd-detect-virt rPx, /{usr/,}bin/systemd-hwdb rPx, /{usr/,}bin/systemd-sysusers rPx, /{usr/,}bin/systemd-tmpfiles rPx, /{usr/,}bin/udevadm rPx, + /{usr/,}lib/systemd-binfmt rPx, /{usr/,}lib/systemd/systemd-sysctl rPx, /usr/ rw, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 2444d93b..804633ad 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,9 +12,8 @@ profile systemd-analyze @{exec_path} { include include - # Needed for the prctl's PR_SET_MM option: - # prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted) capability sys_resource, + capability net_admin, signal (send) peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 31ec8b5a..94dececb 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -41,9 +41,8 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c116:[0-9]* r, # for ALSA - @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* - @{run}/udev/data/c237:[0-9]* r, - @{run}/udev/data/c238:[0-9]* r, + @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 45265344..84c91239 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-sysctl -profile systemd-sysctl @{exec_path} { +profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { include include include @@ -26,5 +26,8 @@ profile systemd-sysctl @{exec_path} { /etc/sysctl.conf r, + # Inherit Silencer + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 281ea841..01eb91b8 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -70,6 +70,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { /var/lib/dkms/ r, /var/lib/dkms/** rw, + /etc/lsb-release r, /etc/dkms/{,**} r, # For building module in /usr/src/ subdirs diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 2acfb20e..995303e9 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -14,7 +14,6 @@ include @{exec_path} += /usr/libexec/git-core/git @{exec_path} += /usr/libexec/git-core/git-* @{exec_path} += /usr/libexec/git-core/mergetools/* - profile git @{exec_path} { include include @@ -52,7 +51,6 @@ profile git @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/dirname rix, - owner @{BUILD_DIR}/*/.repo/repo/hooks/* rwix, /{usr/,}bin/mv rix, /{usr/,}bin/whoami rix, /{usr/,}bin/hostname rix, @@ -139,7 +137,8 @@ profile git @{exec_path} { /etc/ssh/ssh_config r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts rw, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index cfedadcf..6b9b2d0c 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,13 +15,12 @@ profile ntfs-3g @{exec_path} { # When UserMapping is placed under /.NTFS-3G/UserMapping on the NTFS volume include - # Needed in order to mount ntfs disks + capability dac_override, + capability dac_read_search, + capability mknod, capability setgid, capability setuid, capability sys_admin, - capability dac_read_search, - capability dac_override, - capability mknod, @{exec_path} mr, @@ -35,12 +35,13 @@ profile ntfs-3g @{exec_path} { @{MOUNTS}/*/ r, @{MOUNTS}/*/*/ r, - - # Allow to mount ntfs disks only under the /media/ and /mnt/ dirs + # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs mount fstype=fuseblk /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/, mount fstype=fuseblk /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/*/, mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/, mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/*/, + mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, # Allow to mount encrypted partition mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index 207348ef..93c64cc7 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -13,6 +13,8 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { capability sys_ptrace, capability fowner, + ptrace (read) peer=virt-manager, + @{exec_path} mr, /{usr/,}lib/gconv/gconv-modules r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 01e0112e..0f058b77 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -15,11 +15,11 @@ profile sudo @{exec_path} { include # include - # capability mknod, capability audit_write, capability chown, capability dac_override, capability dac_read_search, + capability mknod, capability net_admin, capability setgid, capability setuid, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index a72ecb3a..ad682cdc 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -66,6 +66,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/virt-manager/ rw, owner @{user_cache_dirs}/virt-manager/** rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, # For disk images @{MOUNTS}/ r, diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk index f1dd6279..d7e6a9d2 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/xdg-permission-store b/apparmor.d/profiles-s-z/xdg-permission-store index 74ae1350..235b5e37 100644 --- a/apparmor.d/profiles-s-z/xdg-permission-store +++ b/apparmor.d/profiles-s-z/xdg-permission-store @@ -10,7 +10,8 @@ include profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=(term) peer=gdm, + signal (receive) set=(term hup kill) peer=dbus-daemon, + signal (receive) set=(term hup kill) peer=gdm*, @{exec_path} mr,