From 4894d6a3c44b6fbfa5f19d844093335b70321a1e Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Thu, 27 Jul 2023 13:23:04 +0200 Subject: [PATCH] Adding /dev/tty[0-9]* and /dev/pts/[0-9]* to various profiles; update kded5 and reflector (#183) * Update update-mime-database * Update btrfs * Update update-grub * Update pacman-hook-depmod * Update pacman * Update systemd-sysusers * Update lscpu * Update pacman-hook-systemd * Update pacman-hook-perl * Update pacman-hook-gtk * Update needrestart-iucode-scan-versions * Update reflector * Update kded5 --- apparmor.d/groups/freedesktop/update-mime-database | 5 ++++- apparmor.d/groups/grub/update-grub | 2 ++ apparmor.d/groups/kde/kded5 | 5 +++++ apparmor.d/groups/pacman/pacman | 6 ++++-- apparmor.d/groups/pacman/pacman-hook-depmod | 6 ++++-- apparmor.d/groups/pacman/pacman-hook-gtk | 6 ++++-- apparmor.d/groups/pacman/pacman-hook-perl | 6 ++++-- apparmor.d/groups/pacman/pacman-hook-systemd | 6 ++++-- apparmor.d/groups/pacman/reflector | 7 +++++++ apparmor.d/groups/systemd/systemd-sysusers | 4 ++++ apparmor.d/profiles-a-f/btrfs | 5 ++++- apparmor.d/profiles-g-l/lscpu | 5 +++++ apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 6 ++++-- 13 files changed, 55 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index f234a689..e81fa909 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -18,9 +18,12 @@ profile update-mime-database @{exec_path} { /usr/share/mime/{,**} rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, + # Inherit silencer deny network inet6 stream, deny network inet stream, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 59e4f84d..9d03e262 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -15,5 +15,7 @@ profile update-grub @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/grub-mkconfig rPx, + /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index b1cb6db1..a687db53 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -120,12 +120,17 @@ profile kded5 @{exec_path} { @{bin}/pgrep mr, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{PROC}/ r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, @{PROC}/@{pids}/cgroup r, + @{PROC}/tty/drivers r, include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 0bf4f792..7a5342b4 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -150,7 +150,8 @@ profile pacman @{exec_path} { @{run}/utmp rk, - owner /dev/tty[0-9]* rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, # Silencer, deny /tmp/ r, @@ -174,7 +175,8 @@ profile pacman @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - /dev/tty[0-9]* rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index b4492608..88dd23e9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -23,11 +23,13 @@ profile pacman-hook-depmod @{exec_path} { /usr/lib/modules/*/{,**} rw, - /dev/tty rw, + /dev/tty rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, # Inherit Silencer deny network inet6 stream, deny network inet stream, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index 792732d9..9d7eeeec 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -23,11 +23,13 @@ profile pacman-hook-gtk @{exec_path} { /usr/share/icons/{,**} rw, - /dev/tty rw, + /dev/tty rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, # Inherit Silencer deny network inet6 stream, deny network inet stream, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index dfae7208..22030588 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -23,11 +23,13 @@ profile pacman-hook-perl @{exec_path} { @{lib}/perl[0-9]*/{,**} r, - /dev/tty rw, + /dev/tty rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, # Inherit silencer deny network inet6 stream, deny network inet stream, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 3fd46b11..3b56bdf0 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -30,11 +30,13 @@ profile pacman-hook-systemd @{exec_path} { /usr/ rw, - /dev/tty rw, + /dev/tty rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, # Inherit silencer deny network inet6 stream, deny network inet stream, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector index 71a77d57..5e658e31 100644 --- a/apparmor.d/groups/pacman/reflector +++ b/apparmor.d/groups/pacman/reflector @@ -14,6 +14,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, + capability dac_read_search, + capability dac_override, + network inet dgram, network inet6 dgram, network inet stream, @@ -33,5 +37,8 @@ profile reflector @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 8f5afd5a..3b0a9370 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -39,6 +39,10 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { /etc/.#{group,gshadow}[0-9a-zA-Z]* rw, /etc/.pwd.lock rwk, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, + + # Inherit Silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index 8ba14f01..d2ff098f 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -44,7 +44,10 @@ profile btrfs @{exec_path} { @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, - /dev/btrfs-control rw, + /dev/btrfs-control rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index 36e6dfd4..96dba234 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -25,5 +25,10 @@ profile lscpu @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/cpumap r, + owner @{sys}/kernel/cpu_byteorder r, + + /dev/tty[0-9]* rw, + + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 92b94ed3..8d2041d7 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -29,7 +29,9 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r, - /dev/tty rw, + /dev/tty rw, + /dev/tty[0-9]* rw, + owner /dev/pts/[0-9]* rw, include if exists -} \ No newline at end of file +}