From 49bddc0382dd53a02bc94f6242aeadfd170a2b1c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 23 Apr 2021 12:40:19 +0100 Subject: [PATCH] Profile update. --- apparmor.d/abstractions/gstreamer | 1 + apparmor.d/abstractions/python.d/complete | 2 +- apparmor.d/abstractions/user-read | 2 +- apparmor.d/groups/desktop/blueman | 5 ++++- apparmor.d/groups/desktop/blueman-mechanism | 1 + apparmor.d/groups/desktop/xwayland | 12 ++---------- apparmor.d/groups/glib/glib-pacrunner | 3 +++ apparmor.d/groups/gnome/gio-launch-desktop | 2 ++ apparmor.d/profiles-a-l/child-pager | 3 +++ apparmor.d/profiles-m-z/virt-manager | 9 +++++---- apparmor.d/tunables/xdg-user-dirs.d/complete | 2 +- 11 files changed, 24 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 020d8625..74edf6a6 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -44,6 +44,7 @@ #owner @{HOME}/orcexec.* mrw, /{usr/,}lib/frei0r-[0-9]/*.so mr, + /{usr/,}lib/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, /{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr, /{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr, diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index f381c227..a0387ee2 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -13,4 +13,4 @@ owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r, # Silencer - /{usr/,}lib/python3/** w, + /{usr/,}lib/python{2.[4-7],3,3.[0-9]}/** w, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 2f049866..22379da7 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-2.0-only owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r, owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, diff --git a/apparmor.d/groups/desktop/blueman b/apparmor.d/groups/desktop/blueman index 8335f187..83a6c95a 100644 --- a/apparmor.d/groups/desktop/blueman +++ b/apparmor.d/groups/desktop/blueman @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/blueman-* -profile blueman @{exec_path} { +profile blueman @{exec_path} flags=(attach_disconnected) { include include include @@ -78,6 +78,9 @@ profile blueman @{exec_path} { @{run}/user/1000/gdm/Xauthority r, + # file_inherit + /dev/dri/card[0-9]* rw, + profile open { include include diff --git a/apparmor.d/groups/desktop/blueman-mechanism b/apparmor.d/groups/desktop/blueman-mechanism index 35580348..b0b554ef 100644 --- a/apparmor.d/groups/desktop/blueman-mechanism +++ b/apparmor.d/groups/desktop/blueman-mechanism @@ -13,6 +13,7 @@ profile blueman-mechanism @{exec_path} { include include + capability mknod, capability net_admin, deny capability sys_nice, diff --git a/apparmor.d/groups/desktop/xwayland b/apparmor.d/groups/desktop/xwayland index 619d9c82..3053d24f 100644 --- a/apparmor.d/groups/desktop/xwayland +++ b/apparmor.d/groups/desktop/xwayland @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}bin/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include + include + include include include @@ -19,13 +21,9 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/xkbcomp rPx, - /usr/share/drirc.d/{,*} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/X11/xkb/rules/evdev r, - /dev/dri/card[0-9]* rw, - /dev/dri/renderD[0-9]* rw, - # TMP files owner /tmp/server-[0-9]*.xkm rwk, @@ -36,12 +34,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { # Needed for Mutter owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, - @{sys}/devices/pci[0-9]*/**/uevent r, - @{sys}/devices/pci[0-9]*/**/vendor r, - @{sys}/devices/pci[0-9]*/**/device r, - @{sys}/devices/pci[0-9]*/**/subsystem_vendor r, - @{sys}/devices/pci[0-9]*/**/subsystem_device r, - owner @{PROC}/@{pids}/cmdline r, include if exists diff --git a/apparmor.d/groups/glib/glib-pacrunner b/apparmor.d/groups/glib/glib-pacrunner index 08107343..866ff6a1 100644 --- a/apparmor.d/groups/glib/glib-pacrunner +++ b/apparmor.d/groups/glib/glib-pacrunner @@ -17,5 +17,8 @@ profile glib-pacrunner @{exec_path} { @{exec_path} mr, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + include if exists } diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 4bbda8f0..3aae1786 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -25,6 +25,8 @@ profile gio-launch-desktop @{exec_path} { # User files owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-l/child-pager b/apparmor.d/profiles-a-l/child-pager index 2c4bc6bc..01549252 100644 --- a/apparmor.d/profiles-a-l/child-pager +++ b/apparmor.d/profiles-a-l/child-pager @@ -18,6 +18,9 @@ profile child-pager { include include + capability dac_override, + capability dac_read_search, + signal (receive) set=(stop, cont, term, kill), /{usr/,}bin/ r, diff --git a/apparmor.d/profiles-m-z/virt-manager b/apparmor.d/profiles-m-z/virt-manager index bc74550b..fea5ec5f 100644 --- a/apparmor.d/profiles-m-z/virt-manager +++ b/apparmor.d/profiles-m-z/virt-manager @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -63,16 +64,16 @@ profile virt-manager @{exec_path} { # User VM images owner @{user_share_dirs}/libvirt/{,**} rw, owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, - - #owner /media/*/VM/ r, + owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/osinfo/{,**} r, /usr/share/gtksourceview-4/{,**} r, - /usr/share/misc/pci.ids r, - /var/lib/usbutils/usb.ids r, + /usr/share/hwdata/*.ids r, + /usr/share/misc/*.ids r, + /var/lib/usbutils/*.ids r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/tunables/xdg-user-dirs.d/complete b/apparmor.d/tunables/xdg-user-dirs.d/complete index f2667107..56a7342c 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/complete +++ b/apparmor.d/tunables/xdg-user-dirs.d/complete @@ -49,4 +49,4 @@ # User build directories and output @{user_build_dirs}="/tmp/build" @{user_pkg_dirs}="/tmp/pkg/" -@{user_tmp_dirs}="/run/user/1000" "/tmp" +@{user_tmp_dirs}="/run/user/@{uid}" "/tmp"