From 503cf496bfaca4ce2be9ec37a7fe5aaf04f7bfba Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Wed, 9 Dec 2020 10:30:52 +0100 Subject: [PATCH] update apparmor profiles --- apparmor.d/abstractions/libvirt-qemu | 8 + apparmor.d/adduser | 24 +-- apparmor.d/adequate | 8 +- apparmor.d/amarok | 2 +- apparmor.d/android-studio | 37 ++++- apparmor.d/anki | 8 +- apparmor.d/anyremote | 41 +++-- apparmor.d/apt | 9 +- apparmor.d/apt-file | 3 + apparmor.d/apt-get | 18 ++- apparmor.d/apt-key | 43 +++--- apparmor.d/apt-listbugs | 8 +- apparmor.d/apt-listbugs-aptcleanup | 1 + apparmor.d/apt-listbugs-migratepins | 1 + apparmor.d/apt-listbugs-prefclean | 3 + apparmor.d/apt-listchanges | 20 ++- apparmor.d/apt-methods-cdrom | 5 + apparmor.d/apt-methods-copy | 5 + apparmor.d/apt-methods-file | 5 + apparmor.d/apt-methods-ftp | 5 + apparmor.d/apt-methods-gpgv | 8 +- apparmor.d/apt-methods-http | 7 +- apparmor.d/apt-methods-mirror | 5 + apparmor.d/apt-methods-rred | 5 + apparmor.d/apt-methods-rsh | 5 + apparmor.d/apt-methods-store | 6 + apparmor.d/aptitude | 17 ++- apparmor.d/aptitude-create-state-bundle | 10 +- apparmor.d/aptitude-run-state-bundle | 10 +- apparmor.d/atom | 47 +++--- apparmor.d/bin.ping | 2 +- apparmor.d/birdtray | 4 + apparmor.d/brave | 5 +- apparmor.d/brave-browser | 12 +- apparmor.d/calibre | 8 +- apparmor.d/cawbird | 6 +- apparmor.d/check-bios-nx | 12 +- apparmor.d/check-support-status | 5 +- apparmor.d/check-support-status-hook | 34 +++-- apparmor.d/child-lsb_release | 3 +- apparmor.d/child-pager | 4 + apparmor.d/chromium | 20 +-- apparmor.d/chromium-chromium | 6 +- apparmor.d/claws-mail | 16 +- apparmor.d/code | 5 +- apparmor.d/conky | 31 ++-- apparmor.d/convertall | 2 +- apparmor.d/cpupower | 6 +- apparmor.d/cron | 6 +- apparmor.d/cron-apt | 14 +- apparmor.d/cron-apt-listbugs | 14 +- apparmor.d/cron-apt-show-versions | 5 +- apparmor.d/cron-apt-xapian-index | 14 +- apparmor.d/cron-aptitude | 22 +-- apparmor.d/cron-debsums | 20 ++- apparmor.d/cron-dlocate | 2 +- apparmor.d/cron-ipset-autoban-save | 5 +- apparmor.d/cron-logrotate | 5 +- apparmor.d/cron-mlocate | 14 +- apparmor.d/cron-popularity-contest | 56 ++++--- apparmor.d/crontab | 4 +- apparmor.d/ddclient | 4 +- apparmor.d/debconf-apt-progress | 6 +- apparmor.d/debsecan | 6 +- apparmor.d/debsign | 36 ++--- apparmor.d/debsums | 7 +- apparmor.d/debuild | 49 ------ apparmor.d/deluser | 12 +- apparmor.d/dh | 114 -------------- apparmor.d/dhclient-script | 15 +- apparmor.d/discord | 18 ++- apparmor.d/dkms | 53 ++++--- apparmor.d/dkms-autoinstaller | 15 +- apparmor.d/dlocate | 2 +- apparmor.d/dpkg | 10 +- apparmor.d/dpkg-buildpackage | 117 -------------- apparmor.d/dpkg-divert | 4 + apparmor.d/dpkg-preconfigure | 6 +- apparmor.d/dpkg-query | 8 +- apparmor.d/dropbox | 14 +- apparmor.d/e2fsck | 2 +- apparmor.d/eject | 2 +- apparmor.d/engrampa | 14 +- apparmor.d/execute-dput | 10 +- apparmor.d/f3fix | 4 +- apparmor.d/fatresize | 2 +- apparmor.d/filezilla | 2 +- apparmor.d/firefox | 6 +- apparmor.d/flameshot | 5 +- apparmor.d/freetube | 9 +- apparmor.d/frontend | 15 +- apparmor.d/fsck-btrfs | 2 +- apparmor.d/fzsftp | 6 +- apparmor.d/gajim | 14 +- apparmor.d/games-wesnoth-sh | 6 +- apparmor.d/ganyremote | 19 ++- apparmor.d/git | 4 +- apparmor.d/google-chrome-chrome | 4 + apparmor.d/google-chrome-google-chrome | 12 +- apparmor.d/gparted | 14 +- apparmor.d/gpartedbin | 6 +- apparmor.d/gpo | 10 +- apparmor.d/gpodder | 11 +- apparmor.d/gpodder-migrate2tres | 6 +- apparmor.d/gsmartcontrol-root | 6 +- apparmor.d/gtk-youtube-viewer | 10 +- apparmor.d/hardinfo | 7 +- apparmor.d/hw-probe | 2 +- apparmor.d/hwinfo | 8 +- apparmor.d/i3lock-fancy | 20 +-- apparmor.d/ifup | 6 +- apparmor.d/initd-kexec | 16 +- apparmor.d/initd-kexec-load | 30 ++-- apparmor.d/initd-kmod | 18 +-- apparmor.d/install-printerdriver | 2 +- apparmor.d/inxi | 2 +- apparmor.d/jdownloader | 4 + apparmor.d/jdownloader-install | 33 ++-- apparmor.d/jgmenu | 13 +- apparmor.d/kanyremote | 29 ++-- apparmor.d/kconfig-hardened-check | 2 +- apparmor.d/keepassxc | 4 + apparmor.d/kernel-install | 4 +- apparmor.d/kodi | 2 +- apparmor.d/kvm-ok | 12 +- apparmor.d/lightworks | 8 +- apparmor.d/linssid | 4 +- apparmor.d/lintian | 194 ------------------------ apparmor.d/linux-check-removal | 8 +- apparmor.d/localepurge | 32 ++-- apparmor.d/logrotate | 8 +- apparmor.d/lsinitramfs | 6 +- apparmor.d/lynx | 2 +- apparmor.d/megasync | 17 ++- apparmor.d/minitube | 4 + apparmor.d/mke2fs | 2 +- apparmor.d/mkinitramfs | 76 ++++++---- apparmor.d/mumble | 4 + apparmor.d/mumble-overlay | 8 +- apparmor.d/okular | 4 + apparmor.d/on-ac-power | 8 +- apparmor.d/openbox | 8 +- apparmor.d/openbox-session | 6 +- apparmor.d/openvpn | 24 +-- apparmor.d/opera | 5 +- apparmor.d/orage | 4 + apparmor.d/pam-auth-update | 6 +- apparmor.d/parted | 2 +- apparmor.d/partprobe | 2 +- apparmor.d/popcon-largest-unused | 12 +- apparmor.d/popularity-contest | 11 +- apparmor.d/psi-plus | 4 + apparmor.d/qbittorrent | 6 +- apparmor.d/qnapi | 4 + apparmor.d/qpdfview | 4 + apparmor.d/qt5ct | 4 +- apparmor.d/querybts | 14 +- apparmor.d/quiterss | 4 + apparmor.d/repo | 2 +- apparmor.d/reportbug | 12 +- apparmor.d/run-parts | 44 +++--- apparmor.d/scrot | 4 +- apparmor.d/sddm | 14 +- apparmor.d/sddm-xsession | 33 ++-- apparmor.d/smtube | 4 + apparmor.d/spacefm-auth | 2 +- apparmor.d/spectre-meltdown-checker | 62 ++++---- apparmor.d/startx | 28 ++-- apparmor.d/strawberry | 4 + apparmor.d/suid3num | 2 +- apparmor.d/synaptic | 11 +- apparmor.d/syncthing | 4 + apparmor.d/system-config-printer | 2 +- apparmor.d/system-config-printer-applet | 2 +- apparmor.d/tasksel | 10 +- apparmor.d/telegram-desktop | 6 +- apparmor.d/thunderbird | 19 ++- apparmor.d/tint2conf | 4 +- apparmor.d/torify | 2 +- apparmor.d/torsocks | 2 +- apparmor.d/tpacpi-bat | 4 +- apparmor.d/ucf | 20 ++- apparmor.d/udiskie | 4 + apparmor.d/udisksd | 2 +- apparmor.d/unhide-linux | 4 +- apparmor.d/unhide-posix | 8 +- apparmor.d/unhide-tcp | 10 +- apparmor.d/unmkinitramfs | 28 ++-- apparmor.d/update-ca-certificates | 32 ++-- apparmor.d/update-dlocatedb | 17 ++- apparmor.d/update-initramfs | 29 ++-- apparmor.d/update-pciids | 41 ++--- apparmor.d/update-smart-drivedb | 36 ++--- apparmor.d/updatedb-mlocate | 2 + apparmor.d/usb-devices | 12 +- apparmor.d/uscan | 16 +- apparmor.d/usr.sbin.libvirtd | 5 +- apparmor.d/uupdate | 40 ++--- apparmor.d/vidcutter | 4 + apparmor.d/vipw-vigr | 4 +- apparmor.d/virt-manager | 2 +- apparmor.d/volumeicon | 2 +- apparmor.d/whdd | 10 +- apparmor.d/wireshark | 4 + apparmor.d/x11-xsession | 28 ++-- apparmor.d/xarchiver | 16 +- apparmor.d/xautolock | 4 +- apparmor.d/xdg-desktop-menu | 28 ++-- apparmor.d/xdg-email | 3 +- apparmor.d/xdg-icon-resource | 20 +-- apparmor.d/xdg-mime | 30 ++-- apparmor.d/xdg-open | 2 +- apparmor.d/xdg-screensaver | 7 +- apparmor.d/xdg-settings | 26 ++-- apparmor.d/xinit | 2 + apparmor.d/xorg | 8 +- apparmor.d/xrdb | 4 +- apparmor.d/youtube-viewer | 8 +- 218 files changed, 1445 insertions(+), 1502 deletions(-) delete mode 100644 apparmor.d/debuild delete mode 100644 apparmor.d/dh delete mode 100644 apparmor.d/dpkg-buildpackage delete mode 100644 apparmor.d/lintian diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index 2d08d6f7..a03e9e2c 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -32,6 +32,9 @@ # only modify its comm value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/vm/overcommit_memory r, + # detect hardware capabilities via qemu_getauxval + owner @{PROC}/*/auxv r, # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, @@ -166,6 +169,11 @@ /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr, + # let qemu load old shared objects after upgrades (LP: #1847361) + /{var/,}run/qemu/*/*.so mr, + # but explicitly deny writing to these files + audit deny /{var/,}run/qemu/*/*.so w, + # swtpm /{usr/,}bin/swtpm rmix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, diff --git a/apparmor.d/adduser b/apparmor.d/adduser index 1a6cf53f..17d4ecb4 100644 --- a/apparmor.d/adduser +++ b/apparmor.d/adduser @@ -38,19 +38,19 @@ profile adduser @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/find rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, - /{usr/,}sbin/useradd rPx, - /{usr/,}sbin/userdel rPx, - /{usr/,}sbin/groupdel rPx, - /{usr/,}sbin/groupadd rPx, - /{usr/,}sbin/usermod rPx, - /{usr/,}bin/passwd rPx, - /{usr/,}bin/gpasswd rPx, - /{usr/,}bin/chfn rPx, - /{usr/,}bin/chage rPx, + /{usr/,}sbin/useradd rPx, + /{usr/,}sbin/userdel rPx, + /{usr/,}sbin/groupdel rPx, + /{usr/,}sbin/groupadd rPx, + /{usr/,}sbin/usermod rPx, + /{usr/,}bin/passwd rPx, + /{usr/,}bin/gpasswd rPx, + /{usr/,}bin/chfn rPx, + /{usr/,}bin/chage rPx, /etc/{group,passwd,shadow} r, diff --git a/apparmor.d/adequate b/apparmor.d/adequate index f2c6b54b..38487c67 100644 --- a/apparmor.d/adequate +++ b/apparmor.d/adequate @@ -78,11 +78,11 @@ profile adequate @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, /{usr/,}bin/perl r, - /{usr/,}bin/adequate rPx, + /{usr/,}bin/adequate rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, diff --git a/apparmor.d/amarok b/apparmor.d/amarok index 1575916b..b65c133e 100644 --- a/apparmor.d/amarok +++ b/apparmor.d/amarok @@ -61,7 +61,7 @@ profile amarok @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/amarokcollectionscanner rix, /{usr/,}bin/kde4-config rix, diff --git a/apparmor.d/android-studio b/apparmor.d/android-studio index 414858ac..3f5389e1 100644 --- a/apparmor.d/android-studio +++ b/apparmor.d/android-studio @@ -32,6 +32,7 @@ profile android-studio @{exec_path} { #include #include #include + #include #include # The following rules are needed only when the kernel.unprivileged_userns_clone option is set @@ -47,7 +48,9 @@ profile android-studio @{exec_path} { signal (send) set=(term, kill) peer=android-studio//lsb-release, @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, + + /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/which rix, /{usr/,}bin/uname rix, @@ -91,6 +94,7 @@ profile android-studio @{exec_path} { /media/*/ r, /usr/ r, /{usr/,}lib/ r, + /{usr/,}lib{x32,32,64}/ r, @{AS_LIBDIR}/ rw, @{AS_LIBDIR}/** mrwkix, @@ -120,13 +124,32 @@ profile android-studio @{exec_path} { owner @{HOME}/AndroidStudio/DeviceExplorer/ rw, owner @{HOME}/AndroidStudio/DeviceExplorer/** rw, + owner @{HOME}/Android/ rw, + owner @{HOME}/Android/** mrwkix, + owner "@{HOME}/.config/Android Open Source Project/" rw, owner "@{HOME}/.config/Android Open Source Project/**" rwk, + owner @{HOME}/.config/Google/ rw, + owner @{HOME}/.config/Google/** rwk, + owner @{HOME}/.cache/ rw, owner "@{HOME}/.cache/Android Open Source Project/" rw, owner "@{HOME}/.cache/Android Open Source Project/**" rw, + owner @{HOME}/.cache/Google/ rw, + owner @{HOME}/.cache/Google/** rwk, + # To remove the following error: + # Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp + # java.io.IOException: Cannot run program + # "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied + owner @{HOME}/.cache/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix, + # + owner @{HOME}/.cache/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk, + + owner @{HOME}/.cache/JNA/ rw, + owner @{HOME}/.cache/JNA/** rw, + owner @{HOME}/.gradle/ rw, owner @{HOME}/.gradle/** mrwkix, @@ -135,8 +158,7 @@ profile android-studio @{exec_path} { owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**, owner @{HOME}/.local/share/Google/ rw, - owner @{HOME}/.local/share/Google/consentOptions/ rw, - owner @{HOME}/.local/share/Google/consentOptions/accepted rw, + owner @{HOME}/.local/share/Google/** rw, owner @{HOME}/.local/share/kotlin/ rw, owner @{HOME}/.local/share/kotlin/** rw, @@ -214,6 +236,9 @@ profile android-studio @{exec_path} { /{usr/,}bin/gpg mr, + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + } profile lsb-release { @@ -250,7 +275,11 @@ profile android-studio @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/anki b/apparmor.d/anki index a94cd581..eec5e425 100644 --- a/apparmor.d/anki +++ b/apparmor.d/anki @@ -120,8 +120,8 @@ profile anki @{exec_path} { /etc/mime.types r, # SyncThread - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, /etc/ r, /etc/debian_version r, @@ -185,6 +185,10 @@ profile anki @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/anyremote b/apparmor.d/anyremote index 51c4c97f..28a32839 100644 --- a/apparmor.d/anyremote +++ b/apparmor.d/anyremote @@ -25,27 +25,26 @@ profile anyremote @{exec_path} { @{exec_path} rm, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/which rix, - /{usr/,}bin/head rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/sleep rix, - /{usr/,}bin/find rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/which rix, + /{usr/,}bin/head rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/sleep rix, + /{usr/,}bin/find rix, /{usr/,}bin/convert-im6.q16 rCx -> imagemagic, /{usr/,}bin/killall rCx -> killall, diff --git a/apparmor.d/apt b/apparmor.d/apt index a8232d65..0fd069ae 100644 --- a/apparmor.d/apt +++ b/apparmor.d/apt @@ -72,9 +72,9 @@ profile apt @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, /{usr/,}bin/ps rPx, /{usr/,}bin/dpkg rPx, @@ -110,6 +110,7 @@ profile apt @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, owner /tmp/apt.conf.* rw, owner /tmp/apt.data.* rw, owner /tmp/apt-dpkg-install-*/ rw, @@ -128,7 +129,7 @@ profile apt @{exec_path} flags=(complain) { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/apt-file b/apparmor.d/apt-file index 1387b718..f1aea4c9 100644 --- a/apparmor.d/apt-file +++ b/apparmor.d/apt-file @@ -34,6 +34,9 @@ profile apt-file @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + # For shell pwd + /root/ r, + # file_inherit /var/log/cron-apt/temp w, diff --git a/apparmor.d/apt-get b/apparmor.d/apt-get index fa8e50ab..44da03ee 100644 --- a/apparmor.d/apt-get +++ b/apparmor.d/apt-get @@ -71,9 +71,9 @@ profile apt-get @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, /{usr/,}bin/ps rPx, /{usr/,}bin/dpkg rPx, @@ -114,6 +114,7 @@ profile apt-get @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, owner /tmp/apt-tmp-index.* rw, owner /tmp/apt-dpkg-install-*/ rw, owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, @@ -134,16 +135,21 @@ profile apt-get @{exec_path} flags=(complain) { capability dac_read_search, + /{usr/,}bin/ r, /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/less rix, + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, owner @{HOME}/.less* rw, + owner /tmp/apt-changelog-*/ r, owner /tmp/apt-changelog-*/*.changelog r, + # For shell pwd + /root/ r, + } profile dpkg-source flags=(complain) { diff --git a/apparmor.d/apt-key b/apparmor.d/apt-key index 4593d27d..a6eb903d 100644 --- a/apparmor.d/apt-key +++ b/apparmor.d/apt-key @@ -20,25 +20,25 @@ profile apt-key @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/find rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/comm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/id rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/wc rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/find rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/comm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/id rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/uniq rix, + /{usr/,}bin/wc rix, /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg, @@ -46,10 +46,15 @@ profile apt-key @{exec_path} { /{usr/,}bin/dpkg-query rPx, /{usr/,}bin/apt-config rPx, + # For shell pwd / r, + /etc/ r, + /root/ r, + /etc/apt/trusted.gpg r, /etc/apt/trusted.gpg.d/{,*.gpg} r, + /tmp/ r, owner /tmp/apt-key-gpghome.*/{,**} rw, diff --git a/apparmor.d/apt-listbugs b/apparmor.d/apt-listbugs index a213da15..74a52dbf 100644 --- a/apparmor.d/apt-listbugs +++ b/apparmor.d/apt-listbugs @@ -26,11 +26,11 @@ profile apt-listbugs @{exec_path} { @{exec_path} r, /{usr/,}bin/ruby2.[0-9]* rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/logname rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/logname rix, - /{usr/,}bin/apt-config rPx, - /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/apt-config rPx, + /{usr/,}bin/dpkg-query rPx, /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, diff --git a/apparmor.d/apt-listbugs-aptcleanup b/apparmor.d/apt-listbugs-aptcleanup index af1d7451..6cb2f0b5 100644 --- a/apparmor.d/apt-listbugs-aptcleanup +++ b/apparmor.d/apt-listbugs-aptcleanup @@ -16,6 +16,7 @@ @{exec_path} = /usr/libexec/apt-listbugs/aptcleanup profile apt-listbugs-aptcleanup @{exec_path} { #include + #include #include @{exec_path} r, diff --git a/apparmor.d/apt-listbugs-migratepins b/apparmor.d/apt-listbugs-migratepins index f881177a..e3bc6cdc 100644 --- a/apparmor.d/apt-listbugs-migratepins +++ b/apparmor.d/apt-listbugs-migratepins @@ -16,6 +16,7 @@ @{exec_path} = /usr/libexec/apt-listbugs/migratepins profile apt-listbugs-migratepins @{exec_path} { #include + #include #include @{exec_path} r, diff --git a/apparmor.d/apt-listbugs-prefclean b/apparmor.d/apt-listbugs-prefclean index da7188cf..87409ad6 100644 --- a/apparmor.d/apt-listbugs-prefclean +++ b/apparmor.d/apt-listbugs-prefclean @@ -16,6 +16,7 @@ @{exec_path} = /usr/libexec/apt-listbugs/prefclean profile apt-listbugs-prefclean @{exec_path} { #include + #include #include @{exec_path} r, @@ -27,6 +28,8 @@ profile apt-listbugs-prefclean @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/cp rix, + / r, + owner /var/spool/apt-listbugs/lastprefclean rw, #include if exists diff --git a/apparmor.d/apt-listchanges b/apparmor.d/apt-listchanges index c9b1dce2..7a57bc7d 100644 --- a/apparmor.d/apt-listchanges +++ b/apparmor.d/apt-listchanges @@ -26,7 +26,7 @@ profile apt-listchanges @{exec_path} { /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/tar rix, /{usr/,}bin/hostname rPx, @@ -38,6 +38,10 @@ profile apt-listchanges @{exec_path} { /usr/share/apt-listchanges/{,**} r, /etc/apt/listchanges.conf r, + /etc/apt/listchanges.conf.d/{,*} r, + + /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, @@ -47,8 +51,11 @@ profile apt-listchanges @{exec_path} { /var/lib/apt/listchanges{,-new}.db rw, /var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db, + /var/cache/apt/archives/ r, + owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, owner /tmp/* rw, owner /tmp/apt-listchanges*/ rw, owner /tmp/apt-listchanges*/**/ rw, @@ -79,12 +86,17 @@ profile apt-listchanges @{exec_path} { /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/which rix, - /{usr/,}bin/less rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, owner @{HOME}/.less* rw, + # For shell pwd + /root/ r, + + /tmp/ r, owner /tmp/apt-listchanges-tmp*.txt r, } diff --git a/apparmor.d/apt-methods-cdrom b/apparmor.d/apt-methods-cdrom index 298312f2..fb5c6c9f 100644 --- a/apparmor.d/apt-methods-cdrom +++ b/apparmor.d/apt-methods-cdrom @@ -38,6 +38,11 @@ profile apt-methods-cdrom @{exec_path} { owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-copy b/apparmor.d/apt-methods-copy index b2a83ebe..637d6917 100644 --- a/apparmor.d/apt-methods-copy +++ b/apparmor.d/apt-methods-copy @@ -38,6 +38,11 @@ profile apt-methods-copy @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/apt-methods-file b/apparmor.d/apt-methods-file index 6f3289e9..a5523cf2 100644 --- a/apparmor.d/apt-methods-file +++ b/apparmor.d/apt-methods-file @@ -38,6 +38,11 @@ profile apt-methods-file @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/apt-methods-ftp b/apparmor.d/apt-methods-ftp index 1373a526..c119f0e2 100644 --- a/apparmor.d/apt-methods-ftp +++ b/apparmor.d/apt-methods-ftp @@ -38,6 +38,11 @@ profile apt-methods-ftp @{exec_path} { owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-gpgv b/apparmor.d/apt-methods-gpgv index f3eb1459..0e2a1e83 100644 --- a/apparmor.d/apt-methods-gpgv +++ b/apparmor.d/apt-methods-gpgv @@ -55,6 +55,11 @@ profile apt-methods-gpgv @{exec_path} { /{usr/,}bin/sort rix, /{usr/,}bin/touch rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, @@ -64,6 +69,7 @@ profile apt-methods-gpgv @{exec_path} { /etc/apt/trusted.gpg.d/{,*.gpg} r, /etc/apt/trusted.gpg r, + /tmp/ r, owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner /tmp/apt.{conf,sig,data}.* rw, @@ -79,8 +85,6 @@ profile apt-methods-gpgv @{exec_path} { @{PROC}/@{pid}/fd/ r, - / r, - # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-http b/apparmor.d/apt-methods-http index abc83108..d1996be2 100644 --- a/apparmor.d/apt-methods-http +++ b/apparmor.d/apt-methods-http @@ -39,8 +39,12 @@ profile apt-methods-http @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, - /etc/apt/auth.conf.d/{,*} r, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/auth.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, @@ -55,6 +59,7 @@ profile apt-methods-http @{exec_path} { /var/cache/apt/** rwk, # For the aptitude interactive mode + /tmp/ r, owner /tmp/aptitude-root.*/aptitude-download-* rw, owner /tmp/apt-changelog-*/*.changelog rw, diff --git a/apparmor.d/apt-methods-mirror b/apparmor.d/apt-methods-mirror index aadb324f..fe2785c5 100644 --- a/apparmor.d/apt-methods-mirror +++ b/apparmor.d/apt-methods-mirror @@ -38,6 +38,11 @@ profile apt-methods-mirror @{exec_path} { owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-rred b/apparmor.d/apt-methods-rred index 5c99528a..86260641 100644 --- a/apparmor.d/apt-methods-rred +++ b/apparmor.d/apt-methods-rred @@ -38,6 +38,11 @@ profile apt-methods-rred @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/apt-methods-rsh b/apparmor.d/apt-methods-rsh index 2ce2e1e3..b9de6730 100644 --- a/apparmor.d/apt-methods-rsh +++ b/apparmor.d/apt-methods-rsh @@ -38,6 +38,11 @@ profile apt-methods-rsh @{exec_path} { owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-store b/apparmor.d/apt-methods-store index 5841d342..3ed2218f 100644 --- a/apparmor.d/apt-methods-store +++ b/apparmor.d/apt-methods-store @@ -38,6 +38,11 @@ profile apt-methods-store @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, @@ -50,6 +55,7 @@ profile apt-methods-store @{exec_path} { /usr/share/doc/*/changelog.* r, + /tmp/ r, owner /tmp/apt-changelog-*/*.changelog{,.*} rw, # For package building diff --git a/apparmor.d/aptitude b/apparmor.d/aptitude index c04bde3f..9867aad0 100644 --- a/apparmor.d/aptitude +++ b/apparmor.d/aptitude @@ -73,9 +73,9 @@ profile aptitude @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, /{usr/,}bin/ps rPx, /{usr/,}bin/dpkg rPx, @@ -127,6 +127,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, owner /tmp/aptitude-*.@{pid}:*/ rw, owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw, /tmp/aptitude-*.@{pid}:*/pkgstates* r, @@ -172,16 +173,20 @@ profile aptitude @{exec_path} flags=(complain) { #include #include + /{usr/,}bin/ r, /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/less rix, + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, owner @{HOME}/.less* rw, owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, + # For shell pwd + /root/ r, + } #include if exists diff --git a/apparmor.d/aptitude-create-state-bundle b/apparmor.d/aptitude-create-state-bundle index 63bafae7..5f398845 100644 --- a/apparmor.d/aptitude-create-state-bundle +++ b/apparmor.d/aptitude-create-state-bundle @@ -20,12 +20,12 @@ profile aptitude-create-state-bundle @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/gzip rix, # Files included in the bundle owner @{HOME}/.aptitude/{,*} r, diff --git a/apparmor.d/aptitude-run-state-bundle b/apparmor.d/aptitude-run-state-bundle index be610bc0..8ebe76cd 100644 --- a/apparmor.d/aptitude-run-state-bundle +++ b/apparmor.d/aptitude-run-state-bundle @@ -21,12 +21,12 @@ profile aptitude-run-state-bundle @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, /{usr/,}bin/aptitude-curses rPx, diff --git a/apparmor.d/atom b/apparmor.d/atom index 91215eee..3f69cf15 100644 --- a/apparmor.d/atom +++ b/apparmor.d/atom @@ -48,32 +48,29 @@ profile atom @{exec_path} { deny /{usr/,}local/bin/ r, deny /{usr/,}bin/ r, - #/{usr/,}bin/bash rix, - #/{usr/,}bin/zsh rix, - #/{usr/,}bin/env rix, - #/{usr/,}bin/rmdir rix, - #/{usr/,}bin/{,e}grep rix, - #/{usr/,}bin/ls rix, - #/{usr/,}bin/gawk rix, - #/{usr/,}bin/tty rix, - #/{usr/,}bin/dircolors rix, - #/{usr/,}bin/cut rix, - #/{usr/,}bin/xwininfo rix, - #/{usr/,}bin/date rix, + #/{usr/,}bin/{,ba,da}sh rix, + #/{usr/,}bin/zsh rix, + #/{usr/,}bin/env rix, + #/{usr/,}bin/rmdir rix, + #/{usr/,}bin/{,e}grep rix, + #/{usr/,}bin/ls rix, + #/{usr/,}bin/gawk rix, + #/{usr/,}bin/tty rix, + #/{usr/,}bin/dircolors rix, + #/{usr/,}bin/cut rix, + #/{usr/,}bin/xwininfo rix, + #/{usr/,}bin/date rix, # The expr and uname tools are needed or Atom won't start with the following error: # Your platform () is not supported. - /{usr/,}bin/expr rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/uname rix, # The following also are needed to start Atom - /{usr/,}bin/basename rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/nohup rix, - /{usr/,}bin/cat rix, - # The dash shell is needed to install packages. If you don't want to install any, coment the - # following line out. - #/{usr/,}bin/dash rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/nohup rix, + /{usr/,}bin/cat rix, /{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/xdg-open rCx -> open, @@ -194,6 +191,10 @@ profile atom @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/bin.ping b/apparmor.d/bin.ping index 3a8ebf97..2ed7af5f 100644 --- a/apparmor.d/bin.ping +++ b/apparmor.d/bin.ping @@ -21,7 +21,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { network inet raw, network inet6 raw, - /{,usr/}bin/{,iputils-}ping mixr, + /{usr/,}bin/{,iputils-}ping mixr, /etc/modules.conf r, # Site-specific additions and overrides. See local/README for details. diff --git a/apparmor.d/birdtray b/apparmor.d/birdtray index f27e0073..4f96ab97 100644 --- a/apparmor.d/birdtray +++ b/apparmor.d/birdtray @@ -83,6 +83,10 @@ profile birdtray @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/brave b/apparmor.d/brave index e5af3ffe..570a6322 100644 --- a/apparmor.d/brave +++ b/apparmor.d/brave @@ -209,8 +209,11 @@ profile brave @{exec_path} { /{usr/,}bin/xdg-open mr, - # Allowed apps to open + owner @{HOME}/ r, + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/brave-browser b/apparmor.d/brave-browser index d3690963..48503730 100644 --- a/apparmor.d/brave-browser +++ b/apparmor.d/brave-browser @@ -24,13 +24,13 @@ profile brave-browser @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /usr/bin/readlink rix, - /usr/bin/dirname rix, - /usr/bin/which rix, - /usr/bin/mkdir rix, - /usr/bin/cat rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/which rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, @{BRAVE_INSTALLDIR}/brave rPx, diff --git a/apparmor.d/calibre b/apparmor.d/calibre index 92e6535d..383e250c 100644 --- a/apparmor.d/calibre +++ b/apparmor.d/calibre @@ -63,7 +63,7 @@ profile calibre @{exec_path} { #/{usr/,}bin/ r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/ldconfig rix, /{usr/,}bin/uname rix, /{usr/,}bin/file rix, @@ -183,7 +183,11 @@ profile calibre @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, diff --git a/apparmor.d/cawbird b/apparmor.d/cawbird index f7d44058..10d422ab 100644 --- a/apparmor.d/cawbird +++ b/apparmor.d/cawbird @@ -28,7 +28,7 @@ profile cawbird @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/exo-open rCx -> open, @@ -76,6 +76,10 @@ profile cawbird @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/check-bios-nx b/apparmor.d/check-bios-nx index c1bba888..d122dc55 100644 --- a/apparmor.d/check-bios-nx +++ b/apparmor.d/check-bios-nx @@ -23,15 +23,15 @@ profile check-bios-nx @{exec_path} { capability dac_override, @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}sbin/rdmsr rPx, + /{usr/,}sbin/rdmsr rPx, owner @{PROC}/@{pid}/fd/2 w, diff --git a/apparmor.d/check-support-status b/apparmor.d/check-support-status index bce5f857..8c55381a 100644 --- a/apparmor.d/check-support-status +++ b/apparmor.d/check-support-status @@ -19,10 +19,11 @@ profile check-support-status @{exec_path} flags=(complain) { #include @{exec_path} rix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /etc/debian_version r, + /{usr/,}bin/ r, /{usr/,}bin/gettext.sh r, /{usr/,}bin/cat rix, /{usr/,}bin/{,e}grep rix, @@ -57,9 +58,11 @@ profile check-support-status @{exec_path} flags=(complain) { owner /tmp/debian-security-support.*/{,**} rw, /tmp/debian-security-support.postinst.*/output w, + /var/lib/debian-security-support/ r, owner /var/lib/debian-security-support/security-support.semaphore rw, owner /var/lib/debian-security-support/tmp.* rw, + /usr/share/debian-security-support/ r, /usr/share/debian-security-support/* r, diff --git a/apparmor.d/check-support-status-hook b/apparmor.d/check-support-status-hook index a663d4ce..0de24ca7 100644 --- a/apparmor.d/check-support-status-hook +++ b/apparmor.d/check-support-status-hook @@ -20,14 +20,15 @@ profile check-support-status-hook @{exec_path} flags=(complain) { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/getent rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/stat rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/ r, + /{usr/,}bin/getent rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, /{usr/,}sbin/adduser rPx, /{usr/,}bin/check-support-status rPx, @@ -40,9 +41,17 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /usr/share/debconf/confmodule r, + # For shell pwd + / r, + /root/ r, + + /tmp/ r, owner /tmp/debian-security-support.postinst.*/ rw, owner /tmp/debian-security-support.postinst.*/output rw, + /var/lib/ r, + /var/lib/debian-security-support/ r, + profile debconf-escape flags=(complain) { #include @@ -52,6 +61,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /{usr/,}bin/debconf-escape r, /{usr/,}bin/perl r, + /tmp/ r, owner /tmp/debian-security-support.postinst.*/output r, } @@ -65,11 +75,12 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, /{usr/,}bin/perl r, + /usr/share/debian-security-support/ r, /usr/share/debian-security-support/check-support-status.hook rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, @@ -106,7 +117,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /{usr/,}sbin/runuser mr, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/check-support-status rPx, @@ -115,6 +126,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /etc/security/limits.d/ r, + /tmp/ r, owner /tmp/debian-security-support.postinst.*/output w, } diff --git a/apparmor.d/child-lsb_release b/apparmor.d/child-lsb_release index 1d598783..9be0414d 100644 --- a/apparmor.d/child-lsb_release +++ b/apparmor.d/child-lsb_release @@ -38,8 +38,7 @@ profile child-lsb_release { # /etc/lsb-release r, # /etc/lsb-release.d/ r, -# /{usr/,}bin/bash ixr, -# /{usr/,}bin/dash ixr, +# /{usr/,}bin/{,ba,da}sh rix, # /{usr/,}bin/basename ixr, # /{usr/,}bin/getopt ixr, diff --git a/apparmor.d/child-pager b/apparmor.d/child-pager index 627abbfe..9ca17b3d 100644 --- a/apparmor.d/child-pager +++ b/apparmor.d/child-pager @@ -26,11 +26,15 @@ profile child-pager { signal (receive) set=(stop, cont, term, kill), + /{usr/,}bin/ r, /{usr/,}bin/pager mr, /{usr/,}bin/less mr, /{usr/,}bin/more mr, owner @{HOME}/.lesshs* rw, + # For shell pwd + /root/ r, + #include if exists } diff --git a/apparmor.d/chromium b/apparmor.d/chromium index 9d16a395..61296c8a 100644 --- a/apparmor.d/chromium +++ b/apparmor.d/chromium @@ -27,16 +27,16 @@ profile chromium @{exec_path} { @{CHROMIUM_INSTALLDIR}/chromium rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/mktemp rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/mktemp rix, # For chromium -g /{usr/,}bin/gdb rPUx, diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium index 7b652637..59115637 100644 --- a/apparmor.d/chromium-chromium +++ b/apparmor.d/chromium-chromium @@ -190,7 +190,11 @@ profile chromium-chromium @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/smplayer rPx, diff --git a/apparmor.d/claws-mail b/apparmor.d/claws-mail index d6cb6689..024fea13 100644 --- a/apparmor.d/claws-mail +++ b/apparmor.d/claws-mail @@ -30,21 +30,21 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/which rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/which rix, - /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, # For Orage integration - /{usr/,}bin/orage rPUx, + /{usr/,}bin/orage rPUx, # For sending local mails - /{usr/,}sbin/exim4 rPUx, + /{usr/,}sbin/exim4 rPUx, # For editing in an external editor - /{usr/,}bin/geany rPUx, + /{usr/,}bin/geany rPUx, owner @{HOME}/ r, owner @{HOME}/.claws-mail/ rw, diff --git a/apparmor.d/code b/apparmor.d/code index fc7690db..3f0a69df 100644 --- a/apparmor.d/code +++ b/apparmor.d/code @@ -44,9 +44,8 @@ profile code @{exec_path} { # The bash shell is needed only when you want to start code via bin/code. Also the shells are # needed if you plan to operate on the built in terminal. If you don't need the built in terminal # and want to use the linux one, the following three lines can be commented out. - # /{usr/,}bin/bash rix, - # /{usr/,}bin/zsh rix, - # /{usr/,}bin/dash rix, + #/{usr/,}bin/{,ba,da}sh rix, + # /{usr/,}bin/zsh rix, #/{usr/,}bin/dirname rix, #/{usr/,}bin/{,e}grep rix, diff --git a/apparmor.d/conky b/apparmor.d/conky index eead9452..65160494 100644 --- a/apparmor.d/conky +++ b/apparmor.d/conky @@ -28,21 +28,20 @@ profile conky @{exec_path} { @{exec_path} mr, # Needed tools to render conky output - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/head rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/date rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/sed rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/uniq rix, + /{usr/,}bin/head rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/date rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/sed rix, # To remove the following error: # .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied @@ -154,7 +153,7 @@ profile conky @{exec_path} { /{usr/,}bin/lynx mr, /{usr/,}bin/w3m mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /etc/mime.types r, /etc/mailcap r, diff --git a/apparmor.d/convertall b/apparmor.d/convertall index 2f87ac53..54881e80 100644 --- a/apparmor.d/convertall +++ b/apparmor.d/convertall @@ -29,7 +29,7 @@ profile convertall @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* rix, diff --git a/apparmor.d/cpupower b/apparmor.d/cpupower index 851c638a..24c32773 100644 --- a/apparmor.d/cpupower +++ b/apparmor.d/cpupower @@ -26,9 +26,9 @@ profile cpupower @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/man rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/man rPx, @{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r, @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, diff --git a/apparmor.d/cron b/apparmor.d/cron index 85673b3c..bb20a9fe 100644 --- a/apparmor.d/cron +++ b/apparmor.d/cron @@ -28,9 +28,9 @@ profile cron @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, /etc/crontab r, diff --git a/apparmor.d/cron-apt b/apparmor.d/cron-apt index 11e494b9..bfbdc462 100644 --- a/apparmor.d/cron-apt +++ b/apparmor.d/cron-apt @@ -23,7 +23,7 @@ profile cron-apt @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/dotlockfile rix, /{usr/,}bin/sed rix, /{usr/,}bin/mktemp rix, @@ -61,10 +61,13 @@ profile cron-apt @{exec_path} { /etc/cron-apt/refrain r, /etc/cron-apt/action.d/[0-9]-* r, - /var/lib/cron-apt/{,**/} w, - /var/lib/cron-apt/.lk@{pid}* rw, - /var/lib/cron-apt/lockfile rwl -> /var/lib/cron-apt/.lk@{pid}*, - /var/lib/cron-apt/_-_etc_-_cron-apt_-_config/mailchanges/[0-9]-*-[0-9a-f]* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + + /var/lib/cron-apt/ rw, + /var/lib/cron-apt/** rwl -> /var/lib/cron-apt/**, # Logs /var/log/cron-apt/ r, @@ -77,6 +80,7 @@ profile cron-apt @{exec_path} { /{usr/,}lib/locale/locale-archive r, # TMP + /tmp/ r, owner /tmp/cron-apt.*/ rw, owner /tmp/cron-apt.*/difftemp rw, owner /tmp/cron-apt.*/lockfile rw, diff --git a/apparmor.d/cron-apt-listbugs b/apparmor.d/cron-apt-listbugs index f1f1b3ec..c26954d5 100644 --- a/apparmor.d/cron-apt-listbugs +++ b/apparmor.d/cron-apt-listbugs @@ -18,7 +18,7 @@ profile cron-apt-listbugs @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean, @@ -30,12 +30,12 @@ profile cron-apt-listbugs @{exec_path} { /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr, - /{usr/,}bin/dash r, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/cat rix, /var/spool/apt-listbugs/lastprefclean rw, diff --git a/apparmor.d/cron-apt-show-versions b/apparmor.d/cron-apt-show-versions index 2e74b256..fda645e0 100644 --- a/apparmor.d/cron-apt-show-versions +++ b/apparmor.d/cron-apt-show-versions @@ -18,9 +18,12 @@ profile cron-apt-show-versions @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/apt-show-versions rPx, + # For shell pwd + / r, + #include if exists } diff --git a/apparmor.d/cron-apt-xapian-index b/apparmor.d/cron-apt-xapian-index index bc953c31..36fc40f1 100644 --- a/apparmor.d/cron-apt-xapian-index +++ b/apparmor.d/cron-apt-xapian-index @@ -18,16 +18,20 @@ profile cron-apt-xapian-index @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/which rix, + /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, + /{usr/,}sbin/ r, /{usr/,}sbin/update-apt-xapian-index rPx, /{usr/,}sbin/on_ac_power rPx, + # For shell pwd + / r, + #include if exists } diff --git a/apparmor.d/cron-aptitude b/apparmor.d/cron-aptitude index 7479cc59..99734edd 100644 --- a/apparmor.d/cron-aptitude +++ b/apparmor.d/cron-aptitude @@ -18,20 +18,20 @@ profile cron-aptitude @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, - /{usr/,}bin/savelog rix, - /{usr/,}bin/cmp rix, + /{usr/,}bin/savelog rix, + /{usr/,}bin/cmp rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/gzip rix, /var/lib/aptitude/pkgstates r, diff --git a/apparmor.d/cron-debsums b/apparmor.d/cron-debsums index 6859e7ab..82a4c94e 100644 --- a/apparmor.d/cron-debsums +++ b/apparmor.d/cron-debsums @@ -19,20 +19,24 @@ profile cron-debsums @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/true rix, - /{usr/,}bin/logger rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/true rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/ionice rix, - /{usr/,}bin/debsums rPx, - /{usr/,}bin/tee rCx -> tee, + /{usr/,}bin/debsums rPx, + /{usr/,}bin/tee rCx -> tee, + /etc/ r, /etc/default/debsums r, /etc/debsums-ignore r, + # For shell pwd + / r, + profile tee { #include diff --git a/apparmor.d/cron-dlocate b/apparmor.d/cron-dlocate index 3ff31343..b8d94786 100644 --- a/apparmor.d/cron-dlocate +++ b/apparmor.d/cron-dlocate @@ -18,7 +18,7 @@ profile cron-dlocate @{exec_path} { #include @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/update-dlocatedb rPx, diff --git a/apparmor.d/cron-ipset-autoban-save b/apparmor.d/cron-ipset-autoban-save index 0b57f403..5d68ce1c 100644 --- a/apparmor.d/cron-ipset-autoban-save +++ b/apparmor.d/cron-ipset-autoban-save @@ -19,10 +19,9 @@ profile cron-ipset-autoban-save @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bash rix, - - /{usr/,}sbin/ipset rix, + /{usr/,}sbin/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/cron-logrotate b/apparmor.d/cron-logrotate index 5578e61a..6123ef48 100644 --- a/apparmor.d/cron-logrotate +++ b/apparmor.d/cron-logrotate @@ -18,11 +18,14 @@ profile cron-logrotate @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/logrotate rPx, /{usr/,}bin/logger rix, + # For shell pwd + / r, + #include if exists } diff --git a/apparmor.d/cron-mlocate b/apparmor.d/cron-mlocate index fecc519e..f34cb78c 100644 --- a/apparmor.d/cron-mlocate +++ b/apparmor.d/cron-mlocate @@ -19,14 +19,14 @@ profile cron-mlocate @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/true rix, - /{usr/,}bin/flock rix, - /{usr/,}bin/nocache rix, - /{usr/,}bin/ionice rix, - /{usr/,}bin/nice rix, + /{usr/,}bin/which rix, + /{usr/,}bin/true rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/nocache rix, + /{usr/,}bin/ionice rix, + /{usr/,}bin/nice rix, /{usr/,}bin/updatedb.mlocate rPx, /{usr/,}sbin/on_ac_power rPx, diff --git a/apparmor.d/cron-popularity-contest b/apparmor.d/cron-popularity-contest index 985b85a9..a108f6e1 100644 --- a/apparmor.d/cron-popularity-contest +++ b/apparmor.d/cron-popularity-contest @@ -18,33 +18,39 @@ profile cron-popularity-contest @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/popularity-contest rPx, - /{usr/,}bin/logger rix, - /{usr/,}bin/date rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/setsid rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/date rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/setsid rix, # To send reports via TOR - /{usr/,}bin/torify rix, - /{usr/,}bin/torsocks rix, - /{usr/,}sbin/getcap rix, + /{usr/,}bin/torify rix, + /{usr/,}bin/torsocks rix, + /{usr/,}sbin/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, - /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}sbin/runuser rCx -> runuser, - /{usr/,}bin/savelog rCx -> savelog, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}sbin/runuser rCx -> runuser, + /{usr/,}bin/savelog rCx -> savelog, + /usr/share/popularity-contest/ r, /usr/share/popularity-contest/default.conf r, /etc/popularity-contest.conf r, + # For shell pwd + / r, + /root/ r, + + /var/log/ r, /var/log/popularity-contest{,.new} rw, /var/log/popularity-contest{,.new}.gpg rw, @@ -64,16 +70,16 @@ profile cron-popularity-contest @{exec_path} { /{usr/,}bin/savelog mr, - /{usr/,}bin/date rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/date rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/gzip rix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /var/log/ r, /var/log/popularity-contest.[0-9]*.gz rw, @@ -93,7 +99,7 @@ profile cron-popularity-contest @{exec_path} { /{usr/,}sbin/runuser mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/popularity-contest rPx, diff --git a/apparmor.d/crontab b/apparmor.d/crontab index 493a6860..b62c26b6 100644 --- a/apparmor.d/crontab +++ b/apparmor.d/crontab @@ -24,7 +24,7 @@ profile crontab @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, # When editing the crontab file /{usr/,}bin/sensible-editor rCx -> editor, @@ -45,7 +45,7 @@ profile crontab @{exec_path} { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/ddclient b/apparmor.d/ddclient index d5bc7658..d9e98a90 100644 --- a/apparmor.d/ddclient +++ b/apparmor.d/ddclient @@ -24,8 +24,8 @@ profile ddclient @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/logger rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/logger rix, /etc/ddclient.conf r, diff --git a/apparmor.d/debconf-apt-progress b/apparmor.d/debconf-apt-progress index 40140201..31b2ffe9 100644 --- a/apparmor.d/debconf-apt-progress +++ b/apparmor.d/debconf-apt-progress @@ -39,9 +39,9 @@ profile debconf-apt-progress @{exec_path} flags=(complain) { /{usr/,}bin/debconf-apt-progress rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. /{usr/,}bin/whiptail rPx, diff --git a/apparmor.d/debsecan b/apparmor.d/debsecan index effe7a62..f497e94f 100644 --- a/apparmor.d/debsecan +++ b/apparmor.d/debsecan @@ -25,11 +25,11 @@ profile debsecan @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, # Send results using email - /{usr/,}sbin/exim4 rPx, + /{usr/,}sbin/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/debsign b/apparmor.d/debsign index e6cd4204..58cf7d68 100644 --- a/apparmor.d/debsign +++ b/apparmor.d/debsign @@ -20,28 +20,28 @@ profile debsign @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/head rix, - /{usr/,}bin/cu rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/cmp rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/head rix, + /{usr/,}bin/cu rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/cmp rix, - /{usr/,}bin/md5sum rix, + /{usr/,}bin/md5sum rix, /{usr/,}bin/sha{1,256,512}sum rix, - /{usr/,}bin/perl rix, + /{usr/,}bin/perl rix, /etc/devscripts.conf r, owner @{HOME}/.devscripts r, diff --git a/apparmor.d/debsums b/apparmor.d/debsums index 9299d382..068583a0 100644 --- a/apparmor.d/debsums +++ b/apparmor.d/debsums @@ -23,8 +23,8 @@ profile debsums @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, @@ -37,6 +37,9 @@ profile debsums @{exec_path} { /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, + # For shell pwd + / r, + # Scanning files /{usr/,}bin/{,*} r, /{usr/,}sbin/{,*} r, diff --git a/apparmor.d/debuild b/apparmor.d/debuild deleted file mode 100644 index 52634516..00000000 --- a/apparmor.d/debuild +++ /dev/null @@ -1,49 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#abi , - -#include - -@{BUILD_DIR} = /media/debuilder/ - -@{exec_path} = /{usr/,}bin/debuild -profile debuild @{exec_path} flags=(complain) { - #include - #include - #include - - @{exec_path} r, - /{usr/,}bin/perl r, - - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/tee rix, - - /{usr/,}bin/dpkg-architecture rPx, - /{usr/,}bin/dpkg-buildpackage rPx, - /{usr/,}bin/debsign rPx, - - /usr/share/lintian/bin/lintian rPx, - /{usr/,}bin/lintian rPx, - - /etc/devscripts.conf r, - - /etc/dpkg/origins/debian r, - - # For package building - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - - #include if exists -} diff --git a/apparmor.d/deluser b/apparmor.d/deluser index bf7cb4fa..c5e3e08a 100644 --- a/apparmor.d/deluser +++ b/apparmor.d/deluser @@ -29,15 +29,15 @@ profile deluser @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}sbin/userdel rPx, - /{usr/,}sbin/groupdel rPx, - /{usr/,}bin/gpasswd rPx, + /{usr/,}sbin/userdel rPx, + /{usr/,}sbin/groupdel rPx, + /{usr/,}bin/gpasswd rPx, - /{usr/,}bin/crontab rPx, + /{usr/,}bin/crontab rPx, - /{usr/,}bin/mount rCx -> mount, + /{usr/,}bin/mount rCx -> mount, /etc/adduser.conf r, /etc/deluser.conf r, diff --git a/apparmor.d/dh b/apparmor.d/dh deleted file mode 100644 index 752150ca..00000000 --- a/apparmor.d/dh +++ /dev/null @@ -1,114 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#abi , - -#include - -@{BUILD_DIR} = /media/debuilder/ - -@{exec_path} = /{usr/,}bin/dh -@{exec_path} += /{usr/,}bin/dh_* -profile dh @{exec_path} flags=(complain) { - #include - #include - - @{exec_path} r, - /{usr/,}bin/perl r, - - /{usr/,}bin/dh_* rix, - - /{usr/,}bin/dash rix, - /{usr/,}bin/make rix, - /{usr/,}bin/find rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mkdir rix, - - /{usr/,}bin/dpkg-vendor rPx, - - /usr/share/python/pyversions.py rCx -> python, - /usr/share/python3/py3versions.py rCx -> python, - /usr/share/dh-python/* rCx -> python, - - # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#) - owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules, - owner @{BUILD_DIR}/** rcx -> debian-rules, - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - - /etc/dpkg/origins/debian r, - - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - - owner @{HOME}/.config/dpkg/buildflags.conf r, - - /usr/share/dpkg/* r, - - - profile debian-rules flags=(complain) { - #include - - owner @{BUILD_DIR}/**/debian/rules rix, - owner @{BUILD_DIR}/** rix, - owner @{BUILD_DIR}/** rwkl -> /media/debuilder/*/**, - - /{usr/,}bin/dash rix, - /{usr/,}bin/make rix, - - # Don't strip env here - /{usr/,}bin/* rpux, - - /usr/share/dpkg/* r, - - / r, - /usr/include/{,**} r, - - # Key to sign the kernel and its modules - /etc/kernel_key/* r, - - owner /tmp/cpiolist.* rw, - - } - - profile python flags=(complain) { - #include - #include - - /usr/share/python/pyversions.py mr, - /usr/share/python3/py3versions.py mr, - /usr/share/dh-python/* mr, - - /{usr/,}bin/python2.[0-9]* rix, - /{usr/,}bin/python3.[0-9]* rix, - - /usr/share/python/ r, - /usr/share/python/debian_defaults r, - /usr/share/python3/ r, - /usr/share/python3/debian_defaults r, - - /usr/share/dh-python/ r, - /usr/share/dh-python/** r, - - /{usr/,}bin/which rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/dpkg-architecture rPx, - /{usr/,}bin/git rPx, - - owner /media/debuilder/** r, - owner /media/debuilder/**/.pybuild/ rw, - owner /media/debuilder/**/.pybuild/** rw, - - owner @{PROC}/@{pid}/fd/ r, - - } - - #include if exists -} diff --git a/apparmor.d/dhclient-script b/apparmor.d/dhclient-script index 070c8575..6781ccce 100644 --- a/apparmor.d/dhclient-script +++ b/apparmor.d/dhclient-script @@ -25,16 +25,17 @@ profile dhclient-script @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash mrix, + /{usr/,}bin/{,ba,da}sh mrix, - /{usr/,}bin/ping rPx, - /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/ping rPx, + /{usr/,}bin/run-parts rCx -> run-parts, # To remove the following error: # /sbin/dhclient-script: 133: hostname: Permission denied - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rPx, # To read scripts + /etc/dhcp/ r, /etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r, # For debug script @@ -43,9 +44,9 @@ profile dhclient-script @{exec_path} { owner /tmp/dhclient-script.debug rw, # For ddclient script - /{usr/,}sbin/ddclient rPx, - /etc/default/ddclient r, - /{usr/,}bin/logger rix, + /{usr/,}sbin/ddclient rPx, + /etc/default/ddclient r, + /{usr/,}bin/logger rix, # For samba script /{usr/,}bin/mv rix, diff --git a/apparmor.d/discord b/apparmor.d/discord index 26d5ed98..c1722280 100644 --- a/apparmor.d/discord +++ b/apparmor.d/discord @@ -49,7 +49,7 @@ profile discord @{exec_path} { owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/xdg-open rCx -> open, #/{usr/,}bin/lsb_release rCx -> lsb_release, @@ -143,12 +143,12 @@ profile discord @{exec_path} { /{usr/,}bin/xdg-mime mr, - /{usr/,}bin/dash r, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/head rix, - /{usr/,}bin/sed rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/head rix, + /{usr/,}bin/sed rix, # file_inherit /usr/share/discord/** r, @@ -193,6 +193,10 @@ profile discord @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, diff --git a/apparmor.d/dkms b/apparmor.d/dkms index a2c533e8..d5733489 100644 --- a/apparmor.d/dkms +++ b/apparmor.d/dkms @@ -19,34 +19,33 @@ profile dkms @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/head rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/nproc rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/diff rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/find rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/xargs rix, + /{usr/,}bin/head rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/diff rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/find rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/getconf rix, + /{usr/,}bin/xargs rix, /{usr/,}bin/make rix, /{usr/,}bin/{,@{multiarch}-}* rix, diff --git a/apparmor.d/dkms-autoinstaller b/apparmor.d/dkms-autoinstaller index cca33ec1..fd4288aa 100644 --- a/apparmor.d/dkms-autoinstaller +++ b/apparmor.d/dkms-autoinstaller @@ -19,15 +19,18 @@ profile dkms-autoinstaller @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, - /{usr/,}sbin/dkms rPx, + /{usr/,}sbin/dkms rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rPx -> child-systemctl, + + # For shell pwd + / r, profile run-parts { diff --git a/apparmor.d/dlocate b/apparmor.d/dlocate index 355b397d..c36987db 100644 --- a/apparmor.d/dlocate +++ b/apparmor.d/dlocate @@ -20,7 +20,7 @@ profile dlocate @{exec_path} { #include @{exec_path} rix, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/getopt rix, /{usr/,}bin/{,e}grep rix, diff --git a/apparmor.d/dpkg b/apparmor.d/dpkg index 72ef4daf..f52e3b83 100644 --- a/apparmor.d/dpkg +++ b/apparmor.d/dpkg @@ -34,7 +34,7 @@ profile dpkg @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/rm rix, /{usr/,}bin/dpkg-query rPx, @@ -80,8 +80,12 @@ profile dpkg @{exec_path} { /var/log/dpkg.log w, + # For shell pwd + /root/ r, + # Basically, dpkg needs R/W permissions to the following files since it installs them. # It also needs the L permission when a package is reinstalled. + / r, /usr/ r, /usr/** rwl -> /usr/**, /lib/ r, @@ -115,6 +119,7 @@ profile dpkg @{exec_path} { #include #include + /{usr/,}bin/ r, /{usr/,}bin/pager mr, /{usr/,}bin/less mr, /{usr/,}bin/more mr, @@ -125,6 +130,9 @@ profile dpkg @{exec_path} { # Diff changed config files /etc/** r, + # For shell pwd + /root/ r, + } profile scripts { diff --git a/apparmor.d/dpkg-buildpackage b/apparmor.d/dpkg-buildpackage deleted file mode 100644 index 7c9cfd32..00000000 --- a/apparmor.d/dpkg-buildpackage +++ /dev/null @@ -1,117 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#abi , - -#include - -@{BUILD_DIR} = /media/debuilder/ - -@{exec_path} = /{usr/,}bin/dpkg-buildpackage -profile dpkg-buildpackage @{exec_path} flags=(complain) { - #include - #include - - @{exec_path} r, - /{usr/,}bin/perl r, - - /{usr/,}bin/dash rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/fakeroot-sysv rix, - /{usr/,}bin/faked-sysv rix, - - /{usr/,}bin/dh rPx, - /{usr/,}bin/dpkg-buildflags rPx, - /{usr/,}bin/dpkg-architecture rPx, - /{usr/,}bin/dpkg-genbuildinfo rPx, - /{usr/,}bin/dpkg-genchanges rPx, - /{usr/,}bin/dpkg-checkbuilddeps rPx, - - /{usr/,}bin/dpkg-source rcx -> dpkg-source, - - # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#) - owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules, - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - - /etc/dpkg/origins/debian r, - - - profile dpkg-source flags=(complain) { - #include - #include - #include - - /{usr/,}bin/dpkg-source mr, - /{usr/,}bin/perl r, - - /{usr/,}bin/tar rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/patch rix, - /{usr/,}bin/diff rix, - - /{usr/,}bin/gpg rix, - /{usr/,}bin/gpgv rix, - /{usr/,}bin/gpg-agent rix, - - /etc/dpkg/origins/debian r, - - owner /tmp/** rwkl -> /tmp/**, - owner @{run}/user/[0-9]*/gnupg/** w, - - @{PROC}/@{pid}/fd/ r, - - /usr/share/dpkg/tupletable r, - /usr/share/dpkg/cputable r, - - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - owner @{HOME}/** rwkl -> @{HOME}/**, - audit deny owner @{HOME}/.* mrwkl, - audit deny owner @{HOME}/.*/ rw, - audit deny owner @{HOME}/.*/** mrwkl, - - } - - profile debian-rules flags=(complain) { - #include - - owner @{BUILD_DIR}/**/debian/rules rix, - owner @{BUILD_DIR}/** rix, - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/*/**, - - /{usr/,}bin/dash rix, - /{usr/,}bin/make rix, - - # Don't strip env here - /{usr/,}bin/* rpux, - - /usr/share/dpkg/* r, - - / r, - /usr/include/{,**} r, - - # Key to sign the kernel and its modules - /etc/kernel_key/* r, - - owner /tmp/cpiolist.* rw, - - } - - #include if exists -} diff --git a/apparmor.d/dpkg-divert b/apparmor.d/dpkg-divert index dc145e7f..fb055b86 100644 --- a/apparmor.d/dpkg-divert +++ b/apparmor.d/dpkg-divert @@ -24,5 +24,9 @@ profile dpkg-divert @{exec_path} { /usr/share/*/**.dpkg-divert.tmp w, + /var/lib/dpkg/diversions rw, + /var/lib/dpkg/diversions-new rw, + /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #include if exists } diff --git a/apparmor.d/dpkg-preconfigure b/apparmor.d/dpkg-preconfigure index daaa316e..914c0e61 100644 --- a/apparmor.d/dpkg-preconfigure +++ b/apparmor.d/dpkg-preconfigure @@ -25,9 +25,9 @@ profile dpkg-preconfigure @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/stty rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/stty rix, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/apt-extracttemplates rPx, diff --git a/apparmor.d/dpkg-query b/apparmor.d/dpkg-query index 5627a2d5..1e13965a 100644 --- a/apparmor.d/dpkg-query +++ b/apparmor.d/dpkg-query @@ -20,11 +20,11 @@ profile dpkg-query @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, /var/lib/dpkg/** r, diff --git a/apparmor.d/dropbox b/apparmor.d/dropbox index b47fc0a8..5a40b872 100644 --- a/apparmor.d/dropbox +++ b/apparmor.d/dropbox @@ -58,11 +58,11 @@ profile dropbox @{exec_path} { owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw, owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw, - /{usr/,}bin/dash rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/uname rix, - /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/uname rix, + /{usr/,}sbin/ldconfig rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, @@ -135,6 +135,10 @@ profile dropbox @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/e2fsck b/apparmor.d/e2fsck index 355f4824..11005abb 100644 --- a/apparmor.d/e2fsck +++ b/apparmor.d/e2fsck @@ -22,7 +22,7 @@ profile e2fsck @{exec_path} { @{exec_path} mr, # To check for badblocks - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/badblocks rPx, owner @{run}/blkid/blkid.tab{,-*} rw, diff --git a/apparmor.d/eject b/apparmor.d/eject index 428ea0bb..424d1dce 100644 --- a/apparmor.d/eject +++ b/apparmor.d/eject @@ -22,7 +22,7 @@ profile eject @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/eject/dmcrypt-get-device rPx, diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa index 96357712..5c6fd20b 100644 --- a/apparmor.d/engrampa +++ b/apparmor.d/engrampa @@ -28,11 +28,11 @@ profile engrampa @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cp rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cp rix, # Archivers /{usr/,}bin/7z rix, @@ -96,6 +96,10 @@ profile engrampa @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, diff --git a/apparmor.d/execute-dput b/apparmor.d/execute-dput index 52ca2297..c3614651 100644 --- a/apparmor.d/execute-dput +++ b/apparmor.d/execute-dput @@ -25,13 +25,13 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, /usr/share/dput/{,**} r, diff --git a/apparmor.d/f3fix b/apparmor.d/f3fix index 09293209..e8a2a767 100644 --- a/apparmor.d/f3fix +++ b/apparmor.d/f3fix @@ -32,11 +32,11 @@ profile f3fix @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/dmidecode rPx, - /{usr/,}bin/udevadm rCx -> udevadm, + /{usr/,}bin/udevadm rCx -> udevadm, owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, diff --git a/apparmor.d/fatresize b/apparmor.d/fatresize index d87fdcb1..28c5e643 100644 --- a/apparmor.d/fatresize +++ b/apparmor.d/fatresize @@ -30,7 +30,7 @@ profile fatresize @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/dmidecode rPx, diff --git a/apparmor.d/filezilla b/apparmor.d/filezilla index 6ac9ff95..1ac8643a 100644 --- a/apparmor.d/filezilla +++ b/apparmor.d/filezilla @@ -28,7 +28,7 @@ profile filezilla @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/uname rix, # When using SFTP protocol diff --git a/apparmor.d/firefox b/apparmor.d/firefox index dd2568f5..46d790a6 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -51,7 +51,7 @@ profile firefox @{exec_path} { owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, # Firefox files @{MOZ_LIBDIR}/{,**} r, @@ -191,6 +191,10 @@ profile firefox @{exec_path} { /{usr/,}bin/exo-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}bin/vlc rPx, /{usr/,}bin/qbittorrent rPx, diff --git a/apparmor.d/flameshot b/apparmor.d/flameshot index 7f918972..8e823bf4 100644 --- a/apparmor.d/flameshot +++ b/apparmor.d/flameshot @@ -77,8 +77,11 @@ profile flameshot @{exec_path} { /{usr/,}bin/xdg-open mr, - # Allowed apps to open + owner @{HOME}/ r, + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/freetube b/apparmor.d/freetube index 3c5415ca..95519c28 100644 --- a/apparmor.d/freetube +++ b/apparmor.d/freetube @@ -48,8 +48,8 @@ profile freetube @{exec_path} { @{FT_LIBDIR}/ r, @{FT_LIBDIR}/** r, @{FT_LIBDIR}/libffmpeg.so mr, - @{FT_LIBDIR}/swiftshader/libGLESv2.so mr, - @{FT_LIBDIR}/swiftshader/libEGL.so mr, + @{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr, + @{FT_LIBDIR}/{swiftshader/,}libEGL.so mr, @{FT_LIBDIR}/chrome-sandbox rPx, owner @{HOME}/ r, @@ -61,6 +61,7 @@ profile freetube @{exec_path} { owner /tmp/.org.chromium.Chromium.*/ rw, owner /tmp/.org.chromium.Chromium.*/SingletonCookie w, owner /tmp/.org.chromium.Chromium.*/SS w, + owner /tmp/.org.chromium.Chromium.* w, owner /tmp/net-export/ rw, /dev/shm/ r, @@ -123,6 +124,10 @@ profile freetube @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, diff --git a/apparmor.d/frontend b/apparmor.d/frontend index 8ad975b3..8a8ef23d 100644 --- a/apparmor.d/frontend +++ b/apparmor.d/frontend @@ -25,9 +25,9 @@ profile frontend @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, # debconf apps /{usr/,}bin/adequate rPx, @@ -113,8 +113,15 @@ profile frontend @{exec_path} flags=(complain) { /usr/share/** r, /usr/share/** rPUx, + /etc/ r, /etc/** rw, - /var/cache/** rw, + /var/ r, + /var/** rw, + @{sys}/ r, + @{sys}/**/ r, + @{run}/ r, + @{run}/** r, + /tmp/ r, owner /tmp/** rw, } diff --git a/apparmor.d/fsck-btrfs b/apparmor.d/fsck-btrfs index 2acebfdd..0a1e7abf 100644 --- a/apparmor.d/fsck-btrfs +++ b/apparmor.d/fsck-btrfs @@ -19,7 +19,7 @@ profile fsck-btrfs @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /etc/fstab r, diff --git a/apparmor.d/fzsftp b/apparmor.d/fzsftp index 16558b07..9c982ed1 100644 --- a/apparmor.d/fzsftp +++ b/apparmor.d/fzsftp @@ -26,9 +26,9 @@ profile fzsftp @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash mrix, - /{usr/,}bin/ps rix, - /{usr/,}bin/ls rix, + /{usr/,}bin/{,ba,da}sh mrix, + /{usr/,}bin/ps rix, + /{usr/,}bin/ls rix, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/gajim b/apparmor.d/gajim index 2f0f3fd1..1113581f 100644 --- a/apparmor.d/gajim +++ b/apparmor.d/gajim @@ -32,17 +32,17 @@ profile gajim @{exec_path} { @{exec_path} r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, - /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, + /{usr/,}sbin/ldconfig rix, # To play sounds - /{usr/,}bin/aplay rCx -> audio, - /{usr/,}bin/pacat rCx -> audio, + /{usr/,}bin/aplay rCx -> audio, + /{usr/,}bin/pacat rCx -> audio, # Needed for GPG/PGP support - /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, # External apps /{usr/,}bin/xdg-settings rPUx, diff --git a/apparmor.d/games-wesnoth-sh b/apparmor.d/games-wesnoth-sh index e18680b3..06b9644b 100644 --- a/apparmor.d/games-wesnoth-sh +++ b/apparmor.d/games-wesnoth-sh @@ -19,13 +19,13 @@ profile games-wesnoth-sh @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /usr/games/wesnoth{,-[0-9]*} rPx, # For the editor - /{usr/,}bin/basename rix, - /{usr/,}bin/sed rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/sed rix, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/ganyremote b/apparmor.d/ganyremote index b2ba7df1..0354b9e5 100644 --- a/apparmor.d/ganyremote +++ b/apparmor.d/ganyremote @@ -30,16 +30,15 @@ profile ganyremote @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/which rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/gawk rix, /{usr/,}bin/anyremote rPx, /{usr/,}bin/ps rPx, diff --git a/apparmor.d/git b/apparmor.d/git index 9c8df883..38140691 100644 --- a/apparmor.d/git +++ b/apparmor.d/git @@ -44,7 +44,7 @@ profile git @{exec_path} { /{usr/,}bin/envsubst rix, /{usr/,}bin/gettext rix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/pager rPx -> child-pager, @@ -136,7 +136,7 @@ profile git @{exec_path} { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome index cd962e24..bea27718 100644 --- a/apparmor.d/google-chrome-chrome +++ b/apparmor.d/google-chrome-chrome @@ -186,6 +186,10 @@ profile google-chrome-chrome @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open # file_inherit diff --git a/apparmor.d/google-chrome-google-chrome b/apparmor.d/google-chrome-google-chrome index d5bb1c17..fbedbab4 100644 --- a/apparmor.d/google-chrome-google-chrome +++ b/apparmor.d/google-chrome-google-chrome @@ -24,13 +24,13 @@ profile google-chrome-google-chrome @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/which rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, @{CHROME_INSTALLDIR}/chrome rPx, diff --git a/apparmor.d/gparted b/apparmor.d/gparted index 856f6e3a..cc583ee3 100644 --- a/apparmor.d/gparted +++ b/apparmor.d/gparted @@ -18,14 +18,14 @@ profile gparted @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, /{usr/,}lib/udisks2/udisks2-inhibit rix, /usr/libexec/udisks2/udisks2-inhibit rix, diff --git a/apparmor.d/gpartedbin b/apparmor.d/gpartedbin index 3d53afd0..49ad27e1 100644 --- a/apparmor.d/gpartedbin +++ b/apparmor.d/gpartedbin @@ -44,7 +44,7 @@ profile gpartedbin @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/dmidecode rPx, /{usr/,}sbin/hdparm rPx, @@ -217,6 +217,10 @@ profile gpartedbin @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open # file_inherit diff --git a/apparmor.d/gpo b/apparmor.d/gpo index 50a7e93d..7bd4f54c 100644 --- a/apparmor.d/gpo +++ b/apparmor.d/gpo @@ -28,11 +28,11 @@ profile gpo @{exec_path} { /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/gpodder b/apparmor.d/gpodder index d9e7c1fe..73fbd70d 100644 --- a/apparmor.d/gpodder +++ b/apparmor.d/gpodder @@ -30,10 +30,9 @@ profile gpodder @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - - /{usr/,}bin/uname rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, owner @{HOME}/ r, owner @{HOME}/gPodder/ rw, @@ -79,6 +78,10 @@ profile gpodder @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/gpodder-migrate2tres b/apparmor.d/gpodder-migrate2tres index e4ca9592..4d111e14 100644 --- a/apparmor.d/gpodder-migrate2tres +++ b/apparmor.d/gpodder-migrate2tres @@ -22,9 +22,9 @@ profile gpodder-migrate2tres @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/gsmartcontrol-root b/apparmor.d/gsmartcontrol-root index 5e12622c..e05197e8 100644 --- a/apparmor.d/gsmartcontrol-root +++ b/apparmor.d/gsmartcontrol-root @@ -19,11 +19,11 @@ profile gsmartcontrol-root @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which rix, - /{usr/,}bin/pkexec rPx, + /{usr/,}bin/pkexec rPx, #include if exists } diff --git a/apparmor.d/gtk-youtube-viewer b/apparmor.d/gtk-youtube-viewer index b175fa2d..f8a6fbae 100644 --- a/apparmor.d/gtk-youtube-viewer +++ b/apparmor.d/gtk-youtube-viewer @@ -29,7 +29,7 @@ profile gtk-youtube-viewer @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/xterm rCx -> xterm, /{usr/,}bin/rxvt rCx -> xterm, @@ -71,8 +71,8 @@ profile gtk-youtube-viewer @{exec_path} { /{usr/,}bin/rxvt mr, /{usr/,}bin/urxvt mr, - /{usr/,}bin/zsh rix, - /{usr/,}bin/bash rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/youtube-viewer rPx, @@ -102,6 +102,10 @@ profile gtk-youtube-viewer @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/hardinfo b/apparmor.d/hardinfo index 54a52b7b..465055f7 100644 --- a/apparmor.d/hardinfo +++ b/apparmor.d/hardinfo @@ -32,8 +32,7 @@ profile hardinfo @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/locale rix, /{usr/,}bin/ldd rix, /{usr/,}bin/tr rix, @@ -150,6 +149,10 @@ profile hardinfo @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/hw-probe b/apparmor.d/hw-probe index 8f1f7623..2142e01c 100644 --- a/apparmor.d/hw-probe +++ b/apparmor.d/hw-probe @@ -25,7 +25,7 @@ profile hw-probe @{exec_path} { /{usr/,}bin/pwd rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gawk rix, /{usr/,}bin/sleep rix, /{usr/,}bin/md5sum rix, diff --git a/apparmor.d/hwinfo b/apparmor.d/hwinfo index d21cd145..ad0927d8 100644 --- a/apparmor.d/hwinfo +++ b/apparmor.d/hwinfo @@ -34,12 +34,12 @@ profile hwinfo @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/udevadm rCx -> udevadm, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/udevadm rCx -> udevadm, - /{usr/,}sbin/dmraid rPUx, + /{usr/,}sbin/dmraid rPUx, @{PROC}/version r, @{PROC}/cmdline r, diff --git a/apparmor.d/i3lock-fancy b/apparmor.d/i3lock-fancy index 37e4c598..02d024c4 100644 --- a/apparmor.d/i3lock-fancy +++ b/apparmor.d/i3lock-fancy @@ -21,18 +21,18 @@ profile i3lock-fancy @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/fc-match rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/env rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/fc-match rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/env rix, - /{usr/,}bin/i3lock rPx, - /{usr/,}bin/xrandr rPx, + /{usr/,}bin/i3lock rPx, + /{usr/,}bin/xrandr rPx, /{usr/,}bin/convert-im6.q16 rCx -> imagemagic, /{usr/,}bin/import-im6.q16 rCx -> imagemagic, diff --git a/apparmor.d/ifup b/apparmor.d/ifup index eff86866..d8839ada 100644 --- a/apparmor.d/ifup +++ b/apparmor.d/ifup @@ -25,9 +25,9 @@ profile ifup @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/ip rix, - /{usr/,}bin/sleep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/sleep rix, /{usr/,}sbin/dhclient rPx, /{usr/,}bin/macchanger rPx, diff --git a/apparmor.d/initd-kexec b/apparmor.d/initd-kexec index 5bfb5f8d..5cd40472 100644 --- a/apparmor.d/initd-kexec +++ b/apparmor.d/initd-kexec @@ -18,17 +18,17 @@ profile initd-kexec @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, - /{usr/,}bin/echo rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, + /{usr/,}bin/echo rix, - /{usr/,}sbin/kexec rPx, + /{usr/,}sbin/kexec rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, /etc/default/kexec r, diff --git a/apparmor.d/initd-kexec-load b/apparmor.d/initd-kexec-load index 92620ba6..196d91da 100644 --- a/apparmor.d/initd-kexec-load +++ b/apparmor.d/initd-kexec-load @@ -18,24 +18,24 @@ profile initd-kexec-load @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/awk rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/head rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/awk rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/head rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, - /{usr/,}sbin/kexec rPx, + /{usr/,}sbin/kexec rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, /no-kexec-reboot rw, diff --git a/apparmor.d/initd-kmod b/apparmor.d/initd-kmod index 267d1f5b..a74e5d00 100644 --- a/apparmor.d/initd-kmod +++ b/apparmor.d/initd-kmod @@ -18,18 +18,18 @@ profile initd-kmod @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, - /{usr/,}bin/id rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, + /{usr/,}bin/id rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/kmod rPx, + /{usr/,}bin/kmod rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, /etc/modules-load.d/*.conf r, /etc/modules r, diff --git a/apparmor.d/install-printerdriver b/apparmor.d/install-printerdriver index fbbf0fdb..b520d540 100644 --- a/apparmor.d/install-printerdriver +++ b/apparmor.d/install-printerdriver @@ -21,7 +21,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/inxi b/apparmor.d/inxi index 939daa9d..702e7514 100644 --- a/apparmor.d/inxi +++ b/apparmor.d/inxi @@ -24,7 +24,7 @@ profile inxi @{exec_path} { /{usr/,}bin/perl r, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/zsh rix, /{usr/,}bin/tty rix, /{usr/,}bin/tput rix, diff --git a/apparmor.d/jdownloader b/apparmor.d/jdownloader index e2d88546..87b9cac6 100644 --- a/apparmor.d/jdownloader +++ b/apparmor.d/jdownloader @@ -112,6 +112,10 @@ profile jdownloader @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/jdownloader-install b/apparmor.d/jdownloader-install index d85963a3..6bbf2187 100644 --- a/apparmor.d/jdownloader-install +++ b/apparmor.d/jdownloader-install @@ -27,24 +27,23 @@ profile jdownloader-install @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/which rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/df rix, - /{usr/,}bin/nohup rix, - - /{usr/,}bin/dash rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/which rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/df rix, + /{usr/,}bin/nohup rix, # Check for old JD installations deny /opt/ r, diff --git a/apparmor.d/jgmenu b/apparmor.d/jgmenu index 458e59ce..8bff2daa 100644 --- a/apparmor.d/jgmenu +++ b/apparmor.d/jgmenu @@ -27,15 +27,16 @@ profile jgmenu @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash rix, - /{usr/,}bin/zsh rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/find rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/find rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/cat rix, /{usr/,}lib/jgmenu/jgmenu-* rix, + owner @{HOME}/ r, owner @{HOME}/.jgmenu-lockfile rwk, owner @{HOME}/.config/tint2/tint2rc r, diff --git a/apparmor.d/kanyremote b/apparmor.d/kanyremote index 14eb2340..7b044e10 100644 --- a/apparmor.d/kanyremote +++ b/apparmor.d/kanyremote @@ -32,25 +32,24 @@ profile kanyremote @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/which rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/head rix, - /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/head rix, + /{usr/,}bin/find rix, - /{usr/,}bin/anyremote rPx, - /{usr/,}bin/ps rPx, + /{usr/,}bin/anyremote rPx, + /{usr/,}bin/ps rPx, - /{usr/,}bin/killall rCx -> killall, - /{usr/,}bin/pgrep rCx -> pgrep, + /{usr/,}bin/killall rCx -> killall, + /{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/pacmd rPUx, /{usr/,}bin/pactl rPUx, diff --git a/apparmor.d/kconfig-hardened-check b/apparmor.d/kconfig-hardened-check index 58d8fb4b..b5d0f055 100644 --- a/apparmor.d/kconfig-hardened-check +++ b/apparmor.d/kconfig-hardened-check @@ -29,7 +29,7 @@ profile kconfig-hardened-check @{exec_path} { @{PROC}/config.gz r, # This is for kernels, which are built manually - owner /**/.config r, + /**/.config r, #include if exists } diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc index f31fed9e..89b3c829 100644 --- a/apparmor.d/keepassxc +++ b/apparmor.d/keepassxc @@ -126,6 +126,10 @@ profile keepassxc @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, /{usr/,}bin/geany rPUx, diff --git a/apparmor.d/kernel-install b/apparmor.d/kernel-install index 5dea937d..e40fafb2 100644 --- a/apparmor.d/kernel-install +++ b/apparmor.d/kernel-install @@ -20,9 +20,7 @@ profile kernel-install @{exec_path} flags=(complain) { #include @{exec_path} r, - /{usr/,}bin/bash r, - - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/mountpoint rix, /{usr/,}bin/sort rix, diff --git a/apparmor.d/kodi b/apparmor.d/kodi index 47dc35f8..8492c7fd 100644 --- a/apparmor.d/kodi +++ b/apparmor.d/kodi @@ -30,7 +30,7 @@ profile kodi @{exec_path} { /{usr/,}lib/@{multiarch}/kodi/kodi.bin mrix, /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr rPx, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/mv rix, /{usr/,}bin/find rix, /{usr/,}bin/date rix, diff --git a/apparmor.d/kvm-ok b/apparmor.d/kvm-ok index 967b474e..21a34a01 100644 --- a/apparmor.d/kvm-ok +++ b/apparmor.d/kvm-ok @@ -18,15 +18,15 @@ profile kvm-ok @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/id rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/id rix, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}sbin/rdmsr rPx, + /{usr/,}sbin/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/lightworks b/apparmor.d/lightworks index 746cdff2..23212dc7 100644 --- a/apparmor.d/lightworks +++ b/apparmor.d/lightworks @@ -19,13 +19,13 @@ profile lightworks @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/lightworks/ntcardvt rPx, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/od rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/od rix, owner @{HOME}/Lightworks/{,**/} w, owner @{HOME}/Lightworks/Projects/DefNetDrive.txt w, diff --git a/apparmor.d/linssid b/apparmor.d/linssid index 6b899cb1..531a785d 100644 --- a/apparmor.d/linssid +++ b/apparmor.d/linssid @@ -35,8 +35,8 @@ profile linssid @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: diff --git a/apparmor.d/lintian b/apparmor.d/lintian deleted file mode 100644 index 73af3857..00000000 --- a/apparmor.d/lintian +++ /dev/null @@ -1,194 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#abi , - -#include - -@{BUILD_DIR} = /media/debuilder/ - -@{exec_path} = /usr/share/lintian/bin/lintian -@{exec_path} += /usr/share/lintian/bin/lintian-info -@{exec_path} += /usr/share/lintian/bin/spellintian -@{exec_path} += /{usr/,}bin/lintian -@{exec_path} += /{usr/,}bin/lintian-info -@{exec_path} += /{usr/,}bin/spellintian -profile lintian @{exec_path} flags=(complain) { - #include - #include - #include - - capability sys_ptrace, - - ptrace (read), - - @{exec_path} r, - /{usr/,}bin/perl r, - - /usr/share/lintian/helpers/** rix, - - /{usr/,}bin/dash rix, - /{usr/,}bin/fgrep rix, - /{usr/,}bin/env rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/nproc rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/find rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/file rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/sha{1,256,512}sum rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/filterdiff rix, - /{usr/,}bin/lexgrog rix, - /{usr/,}bin/mv rix, - /usr/bin/cp rix, - - /{usr/,}bin/{,@{multiarch}-}ar rix, - /{usr/,}bin/{,@{multiarch}-}readelf rix, - /{usr/,}bin/{,@{multiarch}-}strings rix, - - /{usr/,}bin/dpkg-source rcx -> dpkg-source, - /{usr/,}bin/gpg rCx -> gpg, - - /{usr/,}bin/dpkg-deb rPx, - /{usr/,}bin/man rPx, - /{usr/,}bin/dpkg-architecture rPx, - - /usr/share/intltool-debian/* rCx -> intltool, - - /usr/share/lintian/{,**} rk, - - /etc/lintianrc r, - - /etc/xml/catalog r, - - /dev/null rwk, - - # For file - /etc/magic r, - - owner /tmp/lintian-pool-*/ rw, - owner /tmp/lintian-pool-*/** rwkl -> /tmp/lintian-pool-*/**, - - # For gpg - owner /tmp/*/ rw, - owner /tmp/*/pubring.kbx w, - owner /tmp/*/random_seed w, - - owner /tmp/* rw, - owner /tmp/lintian-po-debconf-*/ rw, - owner /tmp/lintian-po-debconf-*/** rw, - - # For pbuilder - owner @{BUILD_DIR}/**.{changes,dsc,buildinfo,tar.*,deb} rk, - owner @{HOME}/**.{changes,dsc,buildinfo,tar.*,deb} rk, - - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pid}/environ r, - - /dev/ r, - /dev/**/ r, - - /etc/apt/apt.conf r, - /etc/apt/apt.conf.d/{,*} r, - - /etc/dpkg/origins/debian r, - /usr/share/dpkg/{cpu,tuple}table r, - - - profile dpkg-source flags=(complain) { - #include - #include - #include - - /{usr/,}bin/dpkg-source mr, - /{usr/,}bin/perl r, - - /{usr/,}bin/tar rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/patch rix, - - /etc/dpkg/origins/debian r, - - owner /tmp/lintian-pool-*/** rw, - - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - owner @{HOME}/** rwkl -> @{HOME}/**, - audit deny owner @{HOME}/.* mrwkl, - audit deny owner @{HOME}/.*/ rw, - audit deny owner @{HOME}/.*/** mrwkl, - - # file_inherit - owner /tmp/* rw, - - } - - profile gpg flags=(complain) { - #include - - /{usr/,}bin/gpg mr, - - owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r, - owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r, - owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw, - owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/trustdb.gpg rw, - owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/pubring.kbx rw, - owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*.gpg rw, - owner /tmp/*.gpg~ w, - owner /tmp/*.gpg.tmp rw, - owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw, - owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, - owner @{run}/user/[0-9]*/gnupg/d.*/ rw, - - # file_inherit - owner /tmp/* rw, - - } - - - profile intltool flags=(complain) { - #include - #include - - /usr/share/intltool-debian/* mrix, - - /usr/bin/dash rix, - /usr/bin/xgettext rix, - - /usr/share/gettext/** r, - /usr/share/gettext-*/** r, - - owner /tmp/lintian-po-debconf-*/** rw, - - # file_inherit - owner /tmp/* rw, - - } - - #include if exists -} diff --git a/apparmor.d/linux-check-removal b/apparmor.d/linux-check-removal index ffd509b7..0595f00c 100644 --- a/apparmor.d/linux-check-removal +++ b/apparmor.d/linux-check-removal @@ -38,12 +38,12 @@ profile linux-check-removal @{exec_path} flags=(complain) { /{usr/,}bin/linux-check-removal rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. - /{usr/,}bin/whiptail rPx, + /{usr/,}bin/whiptail rPx, owner /tmp/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/localepurge b/apparmor.d/localepurge index 36078d82..4ac3c114 100644 --- a/apparmor.d/localepurge +++ b/apparmor.d/localepurge @@ -19,24 +19,24 @@ profile localepurge @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/fgrep rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/du rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/find rix, + /{usr/,}bin/fgrep rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/du rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/find rix, - /{usr/,}bin/df rPx, + /{usr/,}bin/df rPx, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/logrotate b/apparmor.d/logrotate index ea8adf60..885d1907 100644 --- a/apparmor.d/logrotate +++ b/apparmor.d/logrotate @@ -27,10 +27,13 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) { capability setuid, capability fsetid, capability fowner, + capability net_admin, @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}sbin/ r, + + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, /{usr/,}sbin/invoke-rc.d rix, @@ -54,7 +57,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) { /etc/logrotate.d/ r, /etc/logrotate.d/* rk, - /var/lib/logrotate/status{,.tmp} rw, + /var/lib/logrotate/status rwk, + /var/lib/logrotate/status.tmp rw, /var/log/** rw, diff --git a/apparmor.d/lsinitramfs b/apparmor.d/lsinitramfs index 5fced545..e95b9c90 100644 --- a/apparmor.d/lsinitramfs +++ b/apparmor.d/lsinitramfs @@ -18,10 +18,10 @@ profile lsinitramfs @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/getopt rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/getopt rix, /{usr/,}bin/unmkinitramfs rPx, diff --git a/apparmor.d/lynx b/apparmor.d/lynx index 24a660c5..d0427652 100644 --- a/apparmor.d/lynx +++ b/apparmor.d/lynx @@ -30,7 +30,7 @@ profile lynx @{exec_path} { /etc/mime.types r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /etc/mailcap r, owner /tmp/lynxXXXX*/ rw, diff --git a/apparmor.d/megasync b/apparmor.d/megasync index 0dd557e2..d9ec33f1 100644 --- a/apparmor.d/megasync +++ b/apparmor.d/megasync @@ -36,14 +36,14 @@ profile megasync @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/bash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, - /{usr/,}bin/xrdb rPx, - /{usr/,}bin/xdg-mime rPx, + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rCx -> open, # Megasync home files owner @{HOME}/ r, @@ -96,6 +96,11 @@ profile megasync @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + owner "@{HOME}/.local/share/data/Mega Limited/MEGAsync/" r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/minitube b/apparmor.d/minitube index 708aa33a..558b7c07 100644 --- a/apparmor.d/minitube +++ b/apparmor.d/minitube @@ -105,6 +105,10 @@ profile minitube @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/mke2fs b/apparmor.d/mke2fs index 4c5b845c..5b90f208 100644 --- a/apparmor.d/mke2fs +++ b/apparmor.d/mke2fs @@ -22,7 +22,7 @@ profile mke2fs @{exec_path} { @{exec_path} mr, # To check for badblocks - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/badblocks rPx, /etc/mke2fs.conf r, diff --git a/apparmor.d/mkinitramfs b/apparmor.d/mkinitramfs index c2e4f5ee..304d51a8 100644 --- a/apparmor.d/mkinitramfs +++ b/apparmor.d/mkinitramfs @@ -24,37 +24,49 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tsort rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/id rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cpio rix, - /{usr/,}bin/env rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/tr rix, + /{usr/,}sbin/ r, + /{usr/,}bin/ r, + /{usr/,}lib/ r, + /{usr/,}lib64/ r, - /{usr/,}bin/ldd rCx -> ldd, - /{usr/,}sbin/ldconfig rCx -> ldconfig, - /{usr/,}bin/find rCx -> find, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/getopt rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/tsort rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/id rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/env rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/tr rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/cpio rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/lzma rix, + /{usr/,}bin/lzop rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/zstd rix, + + /{usr/,}bin/ldd rCx -> ldd, + /{usr/,}sbin/ldconfig rCx -> ldconfig, + /{usr/,}bin/find rCx -> find, + /{usr/,}bin/kmod rCx -> kmod, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/linux-version rPx, # What to do with it? (#FIXME#) /usr/share/initramfs-tools/hooks/* rPUx, @@ -65,12 +77,17 @@ profile mkinitramfs @{exec_path} { /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, + # For shell pwd / r, /etc/ r, + /root/ r, + /etc/modprobe.d/{,*.conf} r, + /boot/ r, owner /boot/initrd.img-*.new rw, + /var/tmp/ r, owner /var/tmp/mkinitramfs_*/ rw, owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, @@ -86,7 +103,7 @@ profile mkinitramfs @{exec_path} { /{usr/,}bin/ldd mr, /{usr/,}bin/kmod mr, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/@{multiarch}/ld-*.so rix, /{usr/,}lib{,x}32/ld-*.so rix, @@ -124,6 +141,7 @@ profile mkinitramfs @{exec_path} { # pwd dir / r, + /etc/ r, /root/ r, /usr/share/initramfs-tools/scripts/{,**/} r, diff --git a/apparmor.d/mumble b/apparmor.d/mumble index 94ae5427..d03c9d63 100644 --- a/apparmor.d/mumble +++ b/apparmor.d/mumble @@ -84,6 +84,10 @@ profile mumble @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/mumble-overlay b/apparmor.d/mumble-overlay index 60af44bb..747eee91 100644 --- a/apparmor.d/mumble-overlay +++ b/apparmor.d/mumble-overlay @@ -20,12 +20,12 @@ profile mumble-overlay @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/file rix, - /{usr/,}bin/which rix, + /{usr/,}bin/file rix, + /{usr/,}bin/which rix, - /{usr/,}bin/glxgears rPx, + /{usr/,}bin/glxgears rPx, /etc/magic r, diff --git a/apparmor.d/okular b/apparmor.d/okular index ecb25b05..0737ef28 100644 --- a/apparmor.d/okular +++ b/apparmor.d/okular @@ -109,6 +109,10 @@ profile okular @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/on-ac-power b/apparmor.d/on-ac-power index 64907d27..0d70d401 100644 --- a/apparmor.d/on-ac-power +++ b/apparmor.d/on-ac-power @@ -18,10 +18,10 @@ profile on-ac-power @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/awk rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/awk rix, + /{usr/,}bin/cat rix, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @@ -29,5 +29,7 @@ profile on-ac-power @{exec_path} { @{PROC}/pmu/info r, @{PROC}/apm r, + / r, + #include if exists } diff --git a/apparmor.d/openbox b/apparmor.d/openbox index 61200bdf..66bbb6c6 100644 --- a/apparmor.d/openbox +++ b/apparmor.d/openbox @@ -61,8 +61,8 @@ profile openbox @{exec_path} { /{usr/,}lib/@{multiarch}/openbox-autostart mr, /{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/which rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/which rix, # Apps allowed to run /{usr/,}bin/* rPUx, @@ -72,10 +72,10 @@ profile openbox @{exec_path} { /usr/local/lib/python*/dist-packages/ r, + owner @{HOME}/ r, owner @{HOME}/.config/openbox/autostart r, - /etc/xdg/openbox/autostart r, - owner @{HOME}/.config/autostart/{,*} r, + /etc/xdg/openbox/autostart r, /etc/xdg/autostart/{,*} r, # file_inherit diff --git a/apparmor.d/openbox-session b/apparmor.d/openbox-session index 1435d164..64d6c63b 100644 --- a/apparmor.d/openbox-session +++ b/apparmor.d/openbox-session @@ -19,10 +19,10 @@ profile openbox-session @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/xprop rPx, - /{usr/,}bin/openbox rPx, + /{usr/,}bin/xprop rPx, + /{usr/,}bin/openbox rPx, /etc/xdg/openbox/environment r, owner @{HOME}/.config/openbox/environment r, diff --git a/apparmor.d/openvpn b/apparmor.d/openvpn index 22021a10..4bbcdc9d 100644 --- a/apparmor.d/openvpn +++ b/apparmor.d/openvpn @@ -75,10 +75,10 @@ profile openvpn @{exec_path} { /etc/openvpn/update-resolv-conf.sh r, - /{usr/,}bin/bash rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/which rix, - /{usr/,}bin/ip rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/which rix, + /{usr/,}bin/ip rix, /{usr/,}sbin/xtables-nft-multi rix, /etc/iproute2/rt_tables r, @@ -93,16 +93,16 @@ profile openvpn @{exec_path} { capability net_admin, + /etc/openvpn/ r, /etc/openvpn/force-user-traffic-via-vpn.sh r, - /{usr/,}bin/dash rix, - #/{usr/,}bin/bash rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/ip rix, - /{usr/,}sbin/nft rix, - /{usr/,}bin/env rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/ip rix, + /{usr/,}sbin/nft rix, + /{usr/,}bin/env rix, /etc/iproute2/rt_realms r, /etc/iproute2/group r, diff --git a/apparmor.d/opera b/apparmor.d/opera index e1e4d3fe..03b86d94 100644 --- a/apparmor.d/opera +++ b/apparmor.d/opera @@ -183,8 +183,11 @@ profile opera @{exec_path} { /{usr/,}bin/xdg-open mr, - # Allowed apps to open + owner @{HOME}/ r, + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/orage b/apparmor.d/orage index 5b584b03..4c0eeb86 100644 --- a/apparmor.d/orage +++ b/apparmor.d/orage @@ -58,6 +58,10 @@ profile orage @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/pam-auth-update b/apparmor.d/pam-auth-update index 555ed933..2c9f606c 100644 --- a/apparmor.d/pam-auth-update +++ b/apparmor.d/pam-auth-update @@ -44,9 +44,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { /{usr/,}sbin/pam-auth-update rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, diff --git a/apparmor.d/parted b/apparmor.d/parted index fbf5f4d1..919fc7e2 100644 --- a/apparmor.d/parted +++ b/apparmor.d/parted @@ -34,7 +34,7 @@ profile parted @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/udevadm rCx -> udevadm, diff --git a/apparmor.d/partprobe b/apparmor.d/partprobe index 49d48dc1..c75080c6 100644 --- a/apparmor.d/partprobe +++ b/apparmor.d/partprobe @@ -33,7 +33,7 @@ profile partprobe @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/udevadm rCx -> udevadm, diff --git a/apparmor.d/popcon-largest-unused b/apparmor.d/popcon-largest-unused index 0a77f5f7..10842b5f 100644 --- a/apparmor.d/popcon-largest-unused +++ b/apparmor.d/popcon-largest-unused @@ -21,13 +21,13 @@ profile popcon-largest-unused @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/xargs rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/xargs rix, - /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/apt-cache rPx, /var/log/popularity-contest r, diff --git a/apparmor.d/popularity-contest b/apparmor.d/popularity-contest index 25dce784..8689cfb1 100644 --- a/apparmor.d/popularity-contest +++ b/apparmor.d/popularity-contest @@ -31,13 +31,16 @@ profile popularity-contest @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/env rix, /{usr/,}bin/dpkg-query rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, + # For shell pwd + /root/ r, + /etc/popularity-contest.conf r, /etc/dpkg/origins/debian r, @@ -48,8 +51,12 @@ profile popularity-contest @{exec_path} { @{PROC}/ r, - # file_inherit + /var/log/ r, /var/log/popularity-contest.new w, + + /var/lib/ r, + + # file_inherit /tmp/#[0-9]*[0-9] rw, #include if exists diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus index 6fa65683..38a27f33 100644 --- a/apparmor.d/psi-plus +++ b/apparmor.d/psi-plus @@ -141,6 +141,10 @@ profile psi-plus @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/qbittorrent b/apparmor.d/qbittorrent index c30cc747..a89c29b9 100644 --- a/apparmor.d/qbittorrent +++ b/apparmor.d/qbittorrent @@ -145,7 +145,11 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/qnapi b/apparmor.d/qnapi index 41c0bf53..2a1361be 100644 --- a/apparmor.d/qnapi +++ b/apparmor.d/qnapi @@ -129,6 +129,10 @@ profile qnapi @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/qpdfview b/apparmor.d/qpdfview index 8bf7f459..73d6b2a7 100644 --- a/apparmor.d/qpdfview +++ b/apparmor.d/qpdfview @@ -109,6 +109,10 @@ profile qpdfview @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/qt5ct b/apparmor.d/qt5ct index a0726c59..88cd43ef 100644 --- a/apparmor.d/qt5ct +++ b/apparmor.d/qt5ct @@ -30,9 +30,7 @@ profile qt5ct @{exec_path} { @{exec_path} mr, owner @{HOME}/.config/qt5ct/ rw, - owner @{HOME}/.config/qt5ct/** rwk, - owner @{HOME}/.config/qt5ct/qt5ct.conf.* rwl -> @{HOME}/.config/qt5ct/#[0-9]*[0-9], - owner @{HOME}/.config/qt5ct/colors/*.conf rwl -> @{HOME}/.config/qt5ct/colors/#[0-9]*[0-9], + owner @{HOME}/.config/qt5ct/** rwkl -> @{HOME}/.config/qt5ct/#[0-9]*[0-9], owner @{HOME}/.config/fontconfig/ rw, owner @{HOME}/.config/fontconfig/** rw, diff --git a/apparmor.d/querybts b/apparmor.d/querybts index 424bd77c..c7bfd0f1 100644 --- a/apparmor.d/querybts +++ b/apparmor.d/querybts @@ -31,13 +31,13 @@ profile querybts @{exec_path} { /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}sbin/ldconfig rix, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg rPx -> child-dpkg, /etc/reportbug.conf r, owner @{HOME}/.reportbugrc r, @@ -64,6 +64,10 @@ profile querybts @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss index 59ee8b5a..e73f0eb6 100644 --- a/apparmor.d/quiterss +++ b/apparmor.d/quiterss @@ -95,6 +95,10 @@ profile quiterss @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/repo b/apparmor.d/repo index a7ff2efe..62536305 100644 --- a/apparmor.d/repo +++ b/apparmor.d/repo @@ -28,7 +28,7 @@ profile repo @{exec_path} flags=(complain) { /{usr/,}bin/ r, /{usr/,}bin/env rix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/uname rix, /{usr/,}bin/git rix, diff --git a/apparmor.d/reportbug b/apparmor.d/reportbug index dc7c5c1a..c2abcbf0 100644 --- a/apparmor.d/reportbug +++ b/apparmor.d/reportbug @@ -34,8 +34,7 @@ profile reportbug @{exec_path} { /{usr/,}bin/ r, /{usr/,}sbin/ldconfig rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/stty rix, /{usr/,}bin/readlink rix, /{usr/,}bin/locale rix, @@ -64,7 +63,10 @@ profile reportbug @{exec_path} { /etc/** r, /etc/reportbug.conf r, - owner @{HOME}/.reportbugrc r, + owner @{HOME}/.reportbugrc{,~} rw, + + # For shell pwd + owner @{HOME}/ r, # Think what to do with it (#FIXME#) /usr/share/bug/*/{control,presubj} r, @@ -111,6 +113,10 @@ profile reportbug @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/run-parts b/apparmor.d/run-parts index 7af7e71f..2fbf74f3 100644 --- a/apparmor.d/run-parts +++ b/apparmor.d/run-parts @@ -50,11 +50,12 @@ profile run-parts @{exec_path} { profile motd { #include + / r, /etc/update-motd.d/[0-9]*-[a-z]* r, - /{usr/,}bin/dash r, - /{usr/,}bin/uname rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/cat rix, } @@ -65,25 +66,24 @@ profile run-parts @{exec_path} { /etc/kernel/header_postinst.d/* r, /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - /{usr/,}bin/bash r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/which rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/which rix, - /{usr/,}bin/kmod rix, + /{usr/,}bin/kmod rix, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -97,7 +97,11 @@ profile run-parts @{exec_path} { /{usr/,}sbin/update-grub rPUx, /{usr/,}bin/systemd-detect-virt rPUx, + # For shell pwd / r, + /boot/ r, + + /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, # For kmod diff --git a/apparmor.d/scrot b/apparmor.d/scrot index c7b6acf3..86c8c842 100644 --- a/apparmor.d/scrot +++ b/apparmor.d/scrot @@ -22,8 +22,8 @@ profile scrot @{exec_path} { @{exec_path} mr, # "mv" is needed to change the image dir - /{usr/,}bin/dash rix, - /{usr/,}bin/mv rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mv rix, # The image dir owner @{HOME}/*.png rw, diff --git a/apparmor.d/sddm b/apparmor.d/sddm index 7015ad47..73c34971 100644 --- a/apparmor.d/sddm +++ b/apparmor.d/sddm @@ -71,7 +71,7 @@ profile sddm @{exec_path} { @{exec_path} mr, /{usr/,}lib/@{multiarch}/sddm/sddm-helper rix, - /{usr/,}bin/dash mrix, + /{usr/,}bin/{,ba,da}sh mrix, /{usr/,}bin/sddm-greeter rPx, /etc/sddm/Xsession rPx, @@ -177,14 +177,14 @@ profile sddm @{exec_path} { /usr/share/sddm/scripts/Xstop r, /usr/share/sddm/scripts/wayland-session r, /usr/share/sddm/scripts/Xsession r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/zsh rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/zsh rix, - /{usr/,}bin/id rix, - /{usr/,}bin/flatpak rPUx, - /{usr/,}bin/sway rPUx, + /{usr/,}bin/id rix, + /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/sway rPUx, /{usr/,}bin/dbus-run-session rix, /{usr/,}bin/dbus-daemon rPUx, diff --git a/apparmor.d/sddm-xsession b/apparmor.d/sddm-xsession index 600400d2..a24295d3 100644 --- a/apparmor.d/sddm-xsession +++ b/apparmor.d/sddm-xsession @@ -21,26 +21,25 @@ profile sddm-xsession @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, - /{usr/,}bin/id rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/date rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tempfile rix, - /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/id rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/mktemp rix, /{usr/,}bin/ r, - /{usr/,}bin/bash rix, - /{usr/,}bin/zsh rix, - /{usr/,}bin/tcsh rix, - /{usr/,}bin/csh rix, - /{usr/,}bin/fish rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/tcsh rix, + /{usr/,}bin/csh rix, + /{usr/,}bin/fish rix, /usr/local/bin/ r, diff --git a/apparmor.d/smtube b/apparmor.d/smtube index fca4c406..85a421f9 100644 --- a/apparmor.d/smtube +++ b/apparmor.d/smtube @@ -91,6 +91,10 @@ profile smtube @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/spacefm-auth b/apparmor.d/spacefm-auth index 4c00a775..cfa28057 100644 --- a/apparmor.d/spacefm-auth +++ b/apparmor.d/spacefm-auth @@ -18,7 +18,7 @@ profile spacefm-auth @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, #include if exists } diff --git a/apparmor.d/spectre-meltdown-checker b/apparmor.d/spectre-meltdown-checker index 52818031..6033900b 100644 --- a/apparmor.d/spectre-meltdown-checker +++ b/apparmor.d/spectre-meltdown-checker @@ -24,46 +24,46 @@ profile spectre-meltdown-checker @{exec_path} { capability syslog, @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/head rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/od rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/id rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/stat rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/base64 rix, - /{usr/,}bin/unzip rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/head rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/od rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/id rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/seq rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/base64 rix, + /{usr/,}bin/unzip rix, /{usr/,}bin/{,@{multiarch}-}readelf rix, /{usr/,}bin/{,@{multiarch}-}strings rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}sbin/iucode_tool rix, /{usr/,}bin/dmesg rix, - /{usr/,}bin/pgrep rCx -> pgrep, - /{usr/,}bin/ccache rCx -> ccache, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/pgrep rCx -> pgrep, + /{usr/,}bin/ccache rCx -> ccache, + /{usr/,}bin/kmod rCx -> kmod, # To fetch MCE.db from the MCExtractor project - /{usr/,}bin/wget rCx -> mcedb, - /{usr/,}bin/sqlite3 rCx -> mcedb, + /{usr/,}bin/wget rCx -> mcedb, + /{usr/,}bin/sqlite3 rCx -> mcedb, owner /tmp/mcedb-* rw, owner /tmp/smc-* rw, owner /tmp/intelfw-*/ rw, diff --git a/apparmor.d/startx b/apparmor.d/startx index bed435c5..8f7ffaf6 100644 --- a/apparmor.d/startx +++ b/apparmor.d/startx @@ -21,29 +21,33 @@ profile startx @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/mcookie rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/deallocvt rix, + /{usr/,}bin/hostname rix, + /{usr/,}bin/mcookie rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/tty rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/deallocvt rix, - /{usr/,}bin/xauth rPx, - /{usr/,}bin/xinit rPx, + /{usr/,}bin/xauth rPx, + /{usr/,}bin/xinit rPx, /etc/X11/xinit/xinitrc r, /etc/X11/xinit/xserverrc r, + owner @{HOME}/ r, owner @{HOME}/.xinitrc r, owner @{HOME}/.xserverrc r, + /tmp/ r, owner /tmp/serverauth.* rw, + /dev/ r, owner /dev/tty[0-9]* rw, + #include if exists } diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index a7f855a5..45390291 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -122,6 +122,10 @@ profile strawberry @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/suid3num b/apparmor.d/suid3num index c4bbdf3d..2963f933 100644 --- a/apparmor.d/suid3num +++ b/apparmor.d/suid3num @@ -26,7 +26,7 @@ profile suid3num @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /usr/bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /usr/bin/find rix, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/synaptic b/apparmor.d/synaptic index 3f3c4873..39867492 100644 --- a/apparmor.d/synaptic +++ b/apparmor.d/synaptic @@ -72,13 +72,13 @@ profile synaptic @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, # For update-apt-xapian-index - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -133,6 +133,7 @@ profile synaptic @{exec_path} { /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, + /tmp/ r, owner /tmp/apt-dpkg-install-*/ rw, owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, diff --git a/apparmor.d/syncthing b/apparmor.d/syncthing index 0c44da15..d3d6a3ce 100644 --- a/apparmor.d/syncthing +++ b/apparmor.d/syncthing @@ -49,6 +49,10 @@ profile syncthing @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/system-config-printer b/apparmor.d/system-config-printer index 60774c06..65ef0ef7 100644 --- a/apparmor.d/system-config-printer +++ b/apparmor.d/system-config-printer @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/system-config-printer-applet b/apparmor.d/system-config-printer-applet index eab7e8d7..22f0e2cd 100644 --- a/apparmor.d/system-config-printer-applet +++ b/apparmor.d/system-config-printer-applet @@ -22,7 +22,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/tasksel b/apparmor.d/tasksel index 0748ba28..890e721a 100644 --- a/apparmor.d/tasksel +++ b/apparmor.d/tasksel @@ -21,7 +21,7 @@ profile tasksel @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/tempfile rix, /{usr/,}lib/tasksel/tasksel-debconf rix, @@ -47,7 +47,7 @@ profile tasksel @{exec_path} flags=(complain) { #include /{usr/,}lib/tasksel/tests/* r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, } @@ -62,9 +62,9 @@ profile tasksel @{exec_path} flags=(complain) { /{usr/,}bin/tasksel rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. /{usr/,}bin/whiptail rPx, diff --git a/apparmor.d/telegram-desktop b/apparmor.d/telegram-desktop index da228e37..a8d0ffcf 100644 --- a/apparmor.d/telegram-desktop +++ b/apparmor.d/telegram-desktop @@ -90,7 +90,11 @@ profile telegram-desktop @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{TELEGRAM_WORK_DIR}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird index 7584e8fe..a516ed3a 100644 --- a/apparmor.d/thunderbird +++ b/apparmor.d/thunderbird @@ -53,15 +53,14 @@ profile thunderbird @{exec_path} { @{exec_path} mrix, @{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/date rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/which rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/date rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/which rix, - /{usr/,}bin/ps rPx, - /{usr/,}bin/dig rix, + /{usr/,}bin/ps rPx, + /{usr/,}bin/dig rix, # Thunderbird files /usr/share/thunderbird/{,**} r, @@ -245,6 +244,10 @@ profile thunderbird @{exec_path} { /{usr/,}bin/exo-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, /{usr/,}bin/qpdfview rPUx, diff --git a/apparmor.d/tint2conf b/apparmor.d/tint2conf index b788fecc..79a76d7c 100644 --- a/apparmor.d/tint2conf +++ b/apparmor.d/tint2conf @@ -24,9 +24,9 @@ profile tint2conf @{exec_path} { @{exec_path} mr, - /{usr/,}bin/tint2 rPx, + /{usr/,}bin/tint2 rPx, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /usr/share/tint2/{,*} r, diff --git a/apparmor.d/torify b/apparmor.d/torify index a296fa98..279db423 100644 --- a/apparmor.d/torify +++ b/apparmor.d/torify @@ -18,7 +18,7 @@ profile torify @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, #include if exists } diff --git a/apparmor.d/torsocks b/apparmor.d/torsocks index 709bcb5d..cb1a5db3 100644 --- a/apparmor.d/torsocks +++ b/apparmor.d/torsocks @@ -18,7 +18,7 @@ profile torsocks @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, #include if exists } diff --git a/apparmor.d/tpacpi-bat b/apparmor.d/tpacpi-bat index 63f15223..74296698 100644 --- a/apparmor.d/tpacpi-bat +++ b/apparmor.d/tpacpi-bat @@ -21,8 +21,8 @@ profile tpacpi-bat @{exec_path} { @{exec_path} mr, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, # To load the acpi_call module /{usr/,}bin/kmod rPx, diff --git a/apparmor.d/ucf b/apparmor.d/ucf index 804e1e1c..13a2a14d 100644 --- a/apparmor.d/ucf +++ b/apparmor.d/ucf @@ -19,8 +19,7 @@ profile ucf @{exec_path} flags=(complain) { #include @{exec_path} r, - /{usr/,}bin/bash r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/basename rix, /{usr/,}bin/seq rix, @@ -60,20 +59,29 @@ profile ucf @{exec_path} flags=(complain) { # For md5sum /etc/** r, /usr/share/*/conffiles/* r, - @{run}/* r, + @{run}/** r, + # For writing new config files /etc/** rw, /usr/share/debconf/confmodule r, + # For shell pwd + / r, + /root/ r, + profile pager flags=(complain) { #include #include + /{usr/,}bin/ r, /{usr/,}bin/sensible-pager mr, + # For shell pwd + /root/ r, + } profile frontend flags=(complain) { @@ -87,9 +95,9 @@ profile ucf @{exec_path} flags=(complain) { /{usr/,}bin/ucf rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, diff --git a/apparmor.d/udiskie b/apparmor.d/udiskie index 90dc9113..0f450829 100644 --- a/apparmor.d/udiskie +++ b/apparmor.d/udiskie @@ -59,6 +59,10 @@ profile udiskie @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/udisksd b/apparmor.d/udisksd index 487e029c..6e472617 100644 --- a/apparmor.d/udisksd +++ b/apparmor.d/udisksd @@ -35,7 +35,7 @@ profile udisksd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/umount rix, /{usr/,}bin/eject rPx, diff --git a/apparmor.d/unhide-linux b/apparmor.d/unhide-linux index 7069dacb..9f48f3b9 100644 --- a/apparmor.d/unhide-linux +++ b/apparmor.d/unhide-linux @@ -24,8 +24,8 @@ profile unhide-linux @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/ps rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ps rix, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/unhide-posix b/apparmor.d/unhide-posix index fc2f6057..550a55cb 100644 --- a/apparmor.d/unhide-posix +++ b/apparmor.d/unhide-posix @@ -24,10 +24,10 @@ profile unhide-posix @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/ps rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ps rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/{,e}grep rix, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/unhide-tcp b/apparmor.d/unhide-tcp index addc0cf9..48917e27 100644 --- a/apparmor.d/unhide-tcp +++ b/apparmor.d/unhide-tcp @@ -24,11 +24,11 @@ profile unhide-tcp @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/ss rix, - /{usr/,}bin/netstat rix, - /{usr/,}bin/fuser rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/ss rix, + /{usr/,}bin/netstat rix, + /{usr/,}bin/fuser rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/unmkinitramfs b/apparmor.d/unmkinitramfs index 04e4e2ef..a6330fde 100644 --- a/apparmor.d/unmkinitramfs +++ b/apparmor.d/unmkinitramfs @@ -22,21 +22,21 @@ profile unmkinitramfs @{exec_path} { capability mknod, @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/xzcat rix, - /{usr/,}bin/lz4cat rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/lzop rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/cpio rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/xzcat rix, + /{usr/,}bin/lz4cat rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/lzop rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/cpio rix, owner /boot/initrd.img-* r, owner /tmp/initrd.img-* r, diff --git a/apparmor.d/update-ca-certificates b/apparmor.d/update-ca-certificates index 581c6848..18682176 100644 --- a/apparmor.d/update-ca-certificates +++ b/apparmor.d/update-ca-certificates @@ -20,23 +20,23 @@ profile update-ca-certificates @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/find rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/test rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/find rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/test rix, - /{usr/,}bin/openssl rix, + /{usr/,}bin/openssl rix, /etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore, /{usr/,}bin/run-parts rCx -> run-parts, @@ -74,7 +74,7 @@ profile update-ca-certificates @{exec_path} { /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/sed rix, /{usr/,}bin/head rix, /{usr/,}bin/mountpoint rix, diff --git a/apparmor.d/update-dlocatedb b/apparmor.d/update-dlocatedb index e3118b77..d1bfddb0 100644 --- a/apparmor.d/update-dlocatedb +++ b/apparmor.d/update-dlocatedb @@ -19,15 +19,15 @@ profile update-dlocatedb @{exec_path} { #include @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/uniq rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/uniq rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/ionice rix, /usr/share/dlocate/updatedb rCx -> updatedb, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -36,6 +36,9 @@ profile update-dlocatedb @{exec_path} { /var/lib/dlocate/dpkg-list w, + # For shell pwd + / r, + profile updatedb { #include diff --git a/apparmor.d/update-initramfs b/apparmor.d/update-initramfs index 07ec1c35..e8793583 100644 --- a/apparmor.d/update-initramfs +++ b/apparmor.d/update-initramfs @@ -19,18 +19,20 @@ profile update-initramfs @{exec_path} { #include @{exec_path} rix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/sha1sum rix, - /{usr/,}bin/sync rix, - /{usr/,}bin/uname rix, + /{usr/,}sbin/ r, + + /{usr/,}bin/getopt rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sha1sum rix, + /{usr/,}bin/sync rix, + /{usr/,}bin/uname rix, /{usr/,}bin/dpkg-trigger rPx, /{usr/,}bin/linux-version rPx, @@ -38,6 +40,11 @@ profile update-initramfs @{exec_path} { /var/lib/initramfs-tools/* w, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/initramfs-tools/update-initramfs.conf r, @{PROC}/1/mountinfo r, diff --git a/apparmor.d/update-pciids b/apparmor.d/update-pciids index d2669395..d29747f9 100644 --- a/apparmor.d/update-pciids +++ b/apparmor.d/update-pciids @@ -19,31 +19,34 @@ profile update-pciids @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/zgrep rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/zgrep rix, - /{usr/,}bin/wget rCx -> browse, - /{usr/,}bin/curl rCx -> browse, - /{usr/,}bin/lynx rCx -> browse, + /{usr/,}bin/wget rCx -> browse, + /{usr/,}bin/curl rCx -> browse, + /{usr/,}bin/lynx rCx -> browse, /usr/share/misc/ r, /usr/share/misc/* rwl -> /usr/share/misc/*, + # For shell pwd + /root/ r, + profile browse { #include diff --git a/apparmor.d/update-smart-drivedb b/apparmor.d/update-smart-drivedb index 55f2a80c..c9d2afdd 100644 --- a/apparmor.d/update-smart-drivedb +++ b/apparmor.d/update-smart-drivedb @@ -18,26 +18,26 @@ profile update-smart-drivedb @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cmp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cmp rix, - /{usr/,}sbin/smartctl rPx, + /{usr/,}sbin/smartctl rPx, - /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}bin/wget rCx -> browse, - /{usr/,}bin/curl rCx -> browse, - /{usr/,}bin/lynx rCx -> browse, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/wget rCx -> browse, + /{usr/,}bin/curl rCx -> browse, + /{usr/,}bin/lynx rCx -> browse, /var/lib/smartmontools/drivedb/drivedb.h{,.*} rw, @@ -70,7 +70,7 @@ profile update-smart-drivedb @{exec_path} { /{usr/,}bin/curl mr, /{usr/,}bin/lynx mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /etc/mime.types r, /etc/mailcap r, diff --git a/apparmor.d/updatedb-mlocate b/apparmor.d/updatedb-mlocate index b7e1aca6..064e13a1 100644 --- a/apparmor.d/updatedb-mlocate +++ b/apparmor.d/updatedb-mlocate @@ -27,7 +27,9 @@ profile updatedb-mlocate @{exec_path} { /{usr/,}sbin/on_ac_power rPx, + # For shell pwd / r, + /boot/ r, /boot/**/ r, diff --git a/apparmor.d/usb-devices b/apparmor.d/usb-devices index 6305a53b..1e836722 100644 --- a/apparmor.d/usb-devices +++ b/apparmor.d/usb-devices @@ -18,13 +18,13 @@ profile usb-devices @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/readlink rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/readlink rix, @{sys}/bus/ r, @{sys}/bus/usb/devices/ r, diff --git a/apparmor.d/uscan b/apparmor.d/uscan index 053ae619..d937d677 100644 --- a/apparmor.d/uscan +++ b/apparmor.d/uscan @@ -27,16 +27,16 @@ profile uscan @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/bash rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/find rix, - /{usr/,}bin/file rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/find rix, + /{usr/,}bin/file rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/bzip2 rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/bzip2 rix, - /{usr/,}bin/uupdate rPUx, + /{usr/,}bin/uupdate rPUx, # To run custom maintainer scripts owner @{BUILD_DIR}/**/debian/* rPUx, diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd index 7213f7c7..60829ee0 100644 --- a/apparmor.d/usr.sbin.libvirtd +++ b/apparmor.d/usr.sbin.libvirtd @@ -31,6 +31,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { mount options=(rw,rslave) -> /, mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, # libvirt provides any mounts under /dev to qemu namespaces mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, @@ -86,8 +87,8 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, - /usr/lib/xen-*/bin/libxl-save-helper PUx, - /usr/lib/xen-*/bin/pygrub PUx, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, diff --git a/apparmor.d/uupdate b/apparmor.d/uupdate index 9e4f9795..579cc5cd 100644 --- a/apparmor.d/uupdate +++ b/apparmor.d/uupdate @@ -23,29 +23,29 @@ profile uupdate @{exec_path} flags=(complain) { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/expr rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/expr rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/md5sum rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/md5sum rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/xz rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/xz rix, # FIXME /{usr/,}bin/debchange rPUx, diff --git a/apparmor.d/vidcutter b/apparmor.d/vidcutter index 3d90226f..db9da1cb 100644 --- a/apparmor.d/vidcutter +++ b/apparmor.d/vidcutter @@ -145,6 +145,10 @@ profile vidcutter @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/vipw-vigr b/apparmor.d/vipw-vigr index d0491e3a..a3a6b9a7 100644 --- a/apparmor.d/vipw-vigr +++ b/apparmor.d/vipw-vigr @@ -21,7 +21,7 @@ profile vipw-vigr @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/vim.* rCx -> editor, @@ -52,7 +52,7 @@ profile vipw-vigr @{exec_path} { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager index 9b1c1e60..0e44dc55 100644 --- a/apparmor.d/virt-manager +++ b/apparmor.d/virt-manager @@ -34,7 +34,7 @@ profile virt-manager @{exec_path} flags=(complain) { #include @{exec_path} rix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, diff --git a/apparmor.d/volumeicon b/apparmor.d/volumeicon index 6aa55bfa..fff723c2 100644 --- a/apparmor.d/volumeicon +++ b/apparmor.d/volumeicon @@ -43,7 +43,7 @@ profile volumeicon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, # Start the PulseAudio sound mixer - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/pavucontrol rPUx, # file_inherit diff --git a/apparmor.d/whdd b/apparmor.d/whdd index dfc431c6..c18aac1c 100644 --- a/apparmor.d/whdd +++ b/apparmor.d/whdd @@ -25,13 +25,13 @@ profile whdd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tr rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tr rix, # To read SMART attributes - /{usr/,}sbin/smartctl rPx, + /{usr/,}sbin/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/wireshark b/apparmor.d/wireshark index 810bdbf9..2a905e31 100644 --- a/apparmor.d/wireshark +++ b/apparmor.d/wireshark @@ -100,6 +100,10 @@ profile wireshark @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/x11-xsession b/apparmor.d/x11-xsession index 17f8eeb1..80c3f97f 100644 --- a/apparmor.d/x11-xsession +++ b/apparmor.d/x11-xsession @@ -19,21 +19,21 @@ profile x11-xsession @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, - /{usr/,}bin/id rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/date rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tempfile rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/head rix, - /{usr/,}bin/fold rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/id rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/head rix, + /{usr/,}bin/fold rix, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/xarchiver b/apparmor.d/xarchiver index 54337681..9b369e08 100644 --- a/apparmor.d/xarchiver +++ b/apparmor.d/xarchiver @@ -27,11 +27,11 @@ profile xarchiver @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cp rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cp rix, # Archivers /{usr/,}bin/7z rix, @@ -86,7 +86,11 @@ profile xarchiver @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/engrampa rPUx, diff --git a/apparmor.d/xautolock b/apparmor.d/xautolock index 203c1243..aa0d2178 100644 --- a/apparmor.d/xautolock +++ b/apparmor.d/xautolock @@ -19,8 +19,8 @@ profile xautolock @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/env rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/env rix, # Locker apps to launch. /{usr/,}bin/i3lock-fancy rPx, diff --git a/apparmor.d/xdg-desktop-menu b/apparmor.d/xdg-desktop-menu index f25a59b8..87fdce01 100644 --- a/apparmor.d/xdg-desktop-menu +++ b/apparmor.d/xdg-desktop-menu @@ -22,20 +22,20 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/whoami rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/readlink rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/whoami rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/update-desktop-database rPx, diff --git a/apparmor.d/xdg-email b/apparmor.d/xdg-email index 9f10a5e4..ec88d475 100644 --- a/apparmor.d/xdg-email +++ b/apparmor.d/xdg-email @@ -19,8 +19,7 @@ profile xdg-email @{exec_path} flags=(complain) { #include @{exec_path} r, - - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, #include if exists } diff --git a/apparmor.d/xdg-icon-resource b/apparmor.d/xdg-icon-resource index 1bb5f966..72016d29 100644 --- a/apparmor.d/xdg-icon-resource +++ b/apparmor.d/xdg-icon-resource @@ -22,16 +22,16 @@ profile xdg-icon-resource @{exec_path} flags=(complain) { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/whoami rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/touch rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/whoami rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/touch rix, /{usr/,}bin/gtk-update-icon-cache rPUx, diff --git a/apparmor.d/xdg-mime b/apparmor.d/xdg-mime index 2b2911b6..227b68ca 100644 --- a/apparmor.d/xdg-mime +++ b/apparmor.d/xdg-mime @@ -20,21 +20,21 @@ profile xdg-mime @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/head rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/file rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/which rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/head rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/file rix, - /{usr/,}bin/mimetype rPx, - /{usr/,}bin/xprop rPx, + /{usr/,}bin/mimetype rPx, + /{usr/,}bin/xprop rPx, # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -51,6 +51,8 @@ profile xdg-mime @{exec_path} { owner @{HOME}/.Xauthority r, + owner @{run}/user/[0-9]*/ r, + # file_inherit /media/** rw, diff --git a/apparmor.d/xdg-open b/apparmor.d/xdg-open index 6a82d18f..01995998 100644 --- a/apparmor.d/xdg-open +++ b/apparmor.d/xdg-open @@ -20,7 +20,7 @@ profile xdg-open @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, /{usr/,}bin/cut rix, diff --git a/apparmor.d/xdg-screensaver b/apparmor.d/xdg-screensaver index f4f373df..05384ade 100644 --- a/apparmor.d/xdg-screensaver +++ b/apparmor.d/xdg-screensaver @@ -21,7 +21,9 @@ profile xdg-screensaver @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/ r, + + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, @@ -39,9 +41,12 @@ profile xdg-screensaver @{exec_path} { /dev/dri/card[0-9] rw, + owner @{HOME}/ r, owner @{HOME}/.Xauthority r, owner /tmp/xauth-[0-9]*-_[0-9] r, + owner @{run}/user/[0-9]*/ r, + # file_inherit owner @{HOME}/.xsession-errors w, /dev/dri/card[0-9]* rw, diff --git a/apparmor.d/xdg-settings b/apparmor.d/xdg-settings index 813ab653..1c2e2cd0 100644 --- a/apparmor.d/xdg-settings +++ b/apparmor.d/xdg-settings @@ -20,19 +20,19 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/which rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/which rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/uname rix, # When xdg-settings is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: diff --git a/apparmor.d/xinit b/apparmor.d/xinit index edff27c3..c5fcc2e1 100644 --- a/apparmor.d/xinit +++ b/apparmor.d/xinit @@ -29,6 +29,7 @@ profile xinit @{exec_path} { /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, + /{usr/,}bin/ r, /{usr/,}bin/rm rix, /{usr/,}bin/touch rix, /{usr/,}bin/{,e}grep rix, @@ -71,6 +72,7 @@ profile xinit @{exec_path} { /etc/default/{,*} r, # Xsession logs + owner @{HOME}/ r, owner @{HOME}/.xsession-errors w, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/xorg b/apparmor.d/xorg index ec6f669e..928535da 100644 --- a/apparmor.d/xorg +++ b/apparmor.d/xorg @@ -67,9 +67,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/dash rix, - /{usr/,}bin/xkbcomp rPx, - /{usr/,}bin/pkexec rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/xkbcomp rPx, + /{usr/,}bin/pkexec rPx, # Xorg files /etc/X11/{,**} r, @@ -83,12 +83,14 @@ profile xorg @{exec_path} flags=(attach_disconnected) { # Log files owner /var/log/Xorg.[0-9].log{,.old} rw, owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, + owner @{HOME}/ r, owner @{HOME}/.local/share/xorg/ rw, owner @{HOME}/.local/share/xorg/Xorg.[0-9].log{,.old} rw, owner @{HOME}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, owner @{HOME}/.xsession-errors w, # TMP files + /tmp/ r, owner /tmp/.X11-unix/ rw, owner /tmp/.X11-unix/X* rwk, owner /tmp/.tX[0-9]-lock rwk, diff --git a/apparmor.d/xrdb b/apparmor.d/xrdb index 6fd1b63e..8e558219 100644 --- a/apparmor.d/xrdb +++ b/apparmor.d/xrdb @@ -20,8 +20,8 @@ profile xrdb @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, /usr/include/stdc-predef.h r, diff --git a/apparmor.d/youtube-viewer b/apparmor.d/youtube-viewer index e6c1d396..78501f64 100644 --- a/apparmor.d/youtube-viewer +++ b/apparmor.d/youtube-viewer @@ -28,11 +28,11 @@ profile youtube-viewer @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/infocmp rix, - /{usr/,}bin/stty rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/infocmp rix, + /{usr/,}bin/stty rix, - /{usr/,}bin/wget rCx -> wget, + /{usr/,}bin/wget rCx -> wget, owner @{HOME}/.config/youtube-viewer/{,*} rw, owner @{HOME}/.cache/youtube-viewer/{,*} rw,